Vulnerabilities

  

CVE-2025-65267 | ERPNext/Frappe SVG Avatar Image cross site scripting

A vulnerability was found in ERPNext and Frappe and classified as problematic. Affected by this issue is some unknown functionality

  

CVE-2025-55182 | Meta react-server-dom-webpack 19.0.0/19.1.0/19.1.1/19.2.0 React Server deserialization

A vulnerability was found in Meta react-server-dom-webpack, react-server-dom-turbopack and react-server-dom-parcel 19.0.0/19.1.0/19.1.1/19.2.0. It has been classified as critical. This affects an

  

CVE-2025-57199 | AVTECH DGM1104 FullImg-1015-1004-1006-1003 NetFailDetectD command injection

A vulnerability was found in AVTECH DGM1104 FullImg-1015-1004-1006-1003. It has been declared as critical. This vulnerability affects unknown code of

  

CVE-2025-7044 | Ubuntu MAAS up to 3.3.10/3.4.8/3.5.8/3.6.1 WebSocket Request is_superuser privileges management

A vulnerability was found in Ubuntu MAAS up to 3.3.10/3.4.8/3.5.8/3.6.1. It has been rated as critical. This issue affects some

openSUSE Leap 16.0 Python-Cbor2 Important Issues Addressed 2025-20133-1
  

openSUSE Leap 16.0 Python-Cbor2 Important Issues Addressed 2025-20133-1

An update that solves 2 vulnerabilities and has 2 bug fixes can now be installed.LinuxSecurity – Security AdvisoriesRead More

  

CVE-2025-13947 | WebKitGTK information disclosure

A vulnerability described as problematic has been identified in WebKitGTK. The affected element is an unknown function. The manipulation results

  

CVE-2025-39665 | Nagvis Checkmk MultisiteAuth up to 1.9.47 information exposure

A vulnerability classified as problematic has been found in Nagvis Checkmk MultisiteAuth up to 1.9.47. The impacted element is an

Debian 11: Mako Important Denial of Service Fix DLA-4393-1 CVE-2022-40023
  

Debian 11: Mako Important Denial of Service Fix DLA-4393-1 CVE-2022-40023

It was found that Mako, a Python template library, was vulnerable to a denial of service attack via crafted regular

  

CVE-2025-13945 | Wireshark 4.6.0 HTTP3 Dissector improperly controlled sequential memory allocation (ID 20860)

A vulnerability was found in Wireshark 4.6.0. It has been classified as problematic. Affected is an unknown function of the

  

CVE-2025-13946 | Wireshark up to 4.4.10/4.6.0 MEGACO Dissector infinite loop (ID 20884)

A vulnerability was found in Wireshark up to 4.4.10/4.6.0. It has been declared as problematic. Affected by this vulnerability is

  

CVE-2025-12744 | ABRT up to 2.17.6 os command injection

A vulnerability was found in ABRT up to 2.17.6. It has been rated as critical. Affected by this issue is

  

CVE-2025-13472 | Perforce BlazeMeter Plugin up to 4.26 on Jenkins authorization

A vulnerability categorized as problematic has been discovered in Perforce BlazeMeter Plugin up to 4.26 on Jenkins. This affects an

  

CVE-2025-29864 | ESTsoft ALZip up to 12.28 on Windows protection mechanism

A vulnerability identified as critical has been detected in ESTsoft ALZip up to 12.28 on Windows. This vulnerability affects unknown

  

CVE-2025-13948 | opsre go-ldap-admin up to 20251011 JWT docker-compose.yaml secret key hard-coded key

A vulnerability labeled as problematic has been found in opsre go-ldap-admin up to 20251011. This issue affects some unknown processing

  

CVE-2025-13949 | ProudMuBai GoFilm 1.0.0/1.0.1 FileController.go SingleUpload File unrestricted upload

A vulnerability marked as critical has been reported in ProudMuBai GoFilm 1.0.0/1.0.1. Impacted is the function SingleUpload of the file

Fedora 41 Applies Critical Security Patch for NextCloud 32.0.3 Update
  

Fedora 41 Applies Critical Security Patch for NextCloud 32.0.3 Update

32.0.2 release RHBZ#2416087 RHBZ#2415750 RHBZ#2415751 RHBZ#2415752 RHBZ#2415753LinuxSecurity – Security AdvisoriesRead More

Fedora 41: openbao 2.4.4 Important Security Issues DoS 2025-45a7dd8f10
  

Fedora 41: openbao 2.4.4 Important Security Issues DoS 2025-45a7dd8f10

update to upstream 2.4.4, which fixed CVE-2025-64761 Adds hsm tag. The fedora-41 build was done with golang-1.24.10 which fixed CVE-2025-58189,

  

CVE-2025-64298 | Mirion Medical EC2 Software NMIS BioDose up to 22.02 Microsoft SQLServer Express permission assignment (icsma-25-336-01)

A vulnerability classified as critical has been found in Mirion Medical EC2 Software NMIS BioDose up to 22.02. Affected by

  

CVE-2025-62575 | Mirion Medical EC2 Software NMIS BioDose up to 22.02 Microsoft SQL Server Database permission assignment (icsma-25-336-01)

A vulnerability classified as critical was found in Mirion Medical EC2 Software NMIS BioDose up to 22.02. This affects an

  

CVE-2025-65657 | FeehiCMS 2.1.1 unrestricted upload (Issue 78)

A vulnerability, which was classified as critical, has been found in FeehiCMS 2.1.1. This vulnerability affects unknown code. The manipulation

  

CVE-2025-65380 | PHPGurukul Billing System 1.0 /admin/index.php Username sql injection

A vulnerability, which was classified as critical, was found in PHPGurukul Billing System 1.0. This issue affects some unknown processing

  

CVE-2025-12954 | MotoPress Timetable and Event Schedule Plugin up to 2.4.15 on WordPress authorization (EUVD-2025-200729)

A vulnerability has been found in MotoPress Timetable and Event Schedule Plugin up to 2.4.15 on WordPress and classified as

  

CVE-2025-66476 | Vim up to 9.1.1946 on Windows cmd.exe uncontrolled search path (GHSA-g77q-xrww-p834 / 083ec6d9a3b7b09006e0ce69ac802597d25)

A vulnerability was found in Vim up to 9.1.1946 on Windows and classified as problematic. The affected element is an

  

CVE-2025-65955 | ImageMagick up to 6.9.13-33/7.1.2-8 Magick++ Layer Options::fontFamily double free (GHSA-q3hc-j9x5-mp9m)

A vulnerability was found in ImageMagick up to 6.9.13-33/7.1.2-8. It has been classified as critical. The impacted element is the

  

CVE-2025-61940 | Mirion Medical EC2 Software NMIS BioDose up to 22.02 SQL Server client-side authentication (icsma-25-336-01)

A vulnerability was found in Mirion Medical EC2 Software NMIS BioDose up to 22.02. It has been declared as critical.

  

CVE-2025-64642 | Mirion Medical EC2 Software NMIS BioDose up to 22.02 Installation Directory permission assignment (icsma-25-336-01)

A vulnerability was found in Mirion Medical EC2 Software NMIS BioDose up to 22.02. It has been rated as problematic.

  

CVE-2025-64778 | Mirion Medical EC2 Software NMIS BioDose up to 22.02 hard-coded credentials (icsma-25-336-01)

A vulnerability categorized as critical has been discovered in Mirion Medical EC2 Software NMIS BioDose up to 22.02. Affected is

  

CVE-2025-55181 | Facebook proxygen up to 2025.12.01.00 Body proxygen::coro iteration

A vulnerability identified as problematic has been detected in Facebook proxygen up to 2025.12.01.00. Affected by this vulnerability is the

  

CVE-2025-13342 | DynamiApps Frontend Admin Plugin up to 3.28.20 on WordPress ActionOptions::run

A vulnerability labeled as critical has been found in DynamiApps Frontend Admin Plugin up to 3.28.20 on WordPress. Affected by

  

CVE-2025-13390 | WP Directory Kit Plugin up to 1.4.4 on WordPress wdk_generate_auto_login_link improper authentication

A vulnerability marked as critical has been reported in WP Directory Kit Plugin up to 1.4.4 on WordPress. This affects

  

CVE-2025-13109 | Husky Plugin up to 1.3.7.2 on WordPress woof_add_query/woof_remove_query resource injection

A vulnerability described as critical has been identified in Husky Plugin up to 1.3.7.2 on WordPress. This vulnerability affects the

  

CVE-2025-13756 | Fluent Booking Plugin up to 1.9.11 on WordPress importCalendar authorization

A vulnerability classified as critical has been found in Fluent Booking Plugin up to 1.9.11 on WordPress. This issue affects

  

CVE-2025-12358 | ShopEngine Plugin up to 4.8.5 on WordPress Wishlist post_add_to_list cross-site request forgery

A vulnerability classified as problematic was found in ShopEngine Plugin up to 4.8.5 on WordPress. Impacted is the function post_add_to_list

  

CVE-2025-13354 | Tag, Category, and Taxonomy Manager Plugin up to 3.40.1 on WordPress taxopress_merge_terms_batch authorization

A vulnerability, which was classified as problematic, has been found in Tag, Category, and Taxonomy Manager Plugin up to 3.40.1

  

CVE-2025-13359 | Tag, Category, and Taxonomy Manager Plugin up to 3.40.1 on WordPress sql injection

A vulnerability, which was classified as critical, was found in Tag, Category, and Taxonomy Manager Plugin up to 3.40.1 on

  

CVE-2025-12887 | Post SMTP Plugin up to 3.6.1 on WordPress handle_gmail_oauth_redirect authorization

A vulnerability has been found in Post SMTP Plugin up to 3.6.1 on WordPress and classified as problematic. This affects

  

CVE-2025-13401 | Autoptimize Plugin up to 3.1.13 on WordPress create_img_preload_tag cross site scripting

A vulnerability was found in Autoptimize Plugin up to 3.1.13 on WordPress and classified as problematic. This impacts the function

Fedora 43: openbao Critical Root Escalation Fix 2025-c7f4367479
  

Fedora 43: openbao Critical Root Escalation Fix 2025-c7f4367479

update to upstream 2.4.4, fixing CVE-2025-64761. Adds hsm tag. The fedora-43 build was done with golang-1.25.4 which fixed CVE-2025-58189, CVE-2025-58188,

Fedora 42: Crucial Restic Security Advisory CVE-2025-47910 Update
  

Fedora 42: Crucial Restic Security Advisory CVE-2025-47910 Update

Update to 0.18.1LinuxSecurity – Security AdvisoriesRead More

Fedora 42: Critical NextCloud 32.0.2 Authorization Bypass Advisory
  

Fedora 42: Critical NextCloud 32.0.2 Authorization Bypass Advisory

32.0.2 release RHBZ#2416087 RHBZ#2415750 RHBZ#2415751 RHBZ#2415752 RHBZ#2415753LinuxSecurity – Security AdvisoriesRead More

Fedora 42: TigerVNC Important CVE Fixes for Remote Access 2025-f59b250c31
  

Fedora 42: TigerVNC Important CVE Fixes for Remote Access 2025-f59b250c31

Fix recent xorg-x11-server CVEs: Fixes: CVE-2025-62229 CVE-2025-62230 CVE-2025-62231LinuxSecurity – Security AdvisoriesRead More

Fedora 42: openbao Critical CVE-2025-64761 Privileged Escalation Advisory
  

Fedora 42: openbao Critical CVE-2025-64761 Privileged Escalation Advisory

update to upstream 2.4.4, which fixed CVE-2025-64761 Adds hsm tag. The fedora-42 build was done with golang-1.24.10 which fixed CVE-2025-58183.LinuxSecurity

Debian: Critical Denial of Service & Privilege Escalation DSA-6067-1
  

Debian: Critical Denial of Service & Privilege Escalation DSA-6067-1

Two security vulnerabilities were discovered in the Containerd container runtime, which may result in denial of service or local privilege

Debian 11: Xen Critical Privilege Escalation DSA-6068-1 CVE-2024-28956
  

Debian 11: Xen Critical Privilege Escalation DSA-6068-1 CVE-2024-28956

Multiple vulnerabilities have been discovered in the Xen hypervisor, which could result in memory disclosure, denial of service or privilege

  

CVE-2025-13633 | Google Chrome up to 142.0.7444.175 Digital Credentials use after free (ID 458082)

A vulnerability identified as critical has been detected in Google Chrome. Impacted is an unknown function of the component Digital

  

CVE-2025-13630 | Google Chrome up to 142.0.7444.175 V8 type confusion (ID 456547)

A vulnerability labeled as critical has been found in Google Chrome. The affected element is an unknown function of the

  

CVE-2025-13631 | Google Chrome up to 142.0.7444.175 on macOS Google Updater Remote Code Execution (ID 448113)

A vulnerability marked as critical has been reported in Google Chrome on macOS. The impacted element is an unknown function

  

CVE-2025-13636 | Google Chrome up to 142.0.7444.175 Split View ui layer (ID 446181)

A vulnerability described as problematic has been identified in Google Chrome. This affects an unknown function of the component Split

  

CVE-2025-13637 | Google Chrome up to 142.0.7444.175 Downloads access control (ID 392375)

A vulnerability classified as critical has been found in Google Chrome. This impacts an unknown function of the component Downloads.

  

CVE-2025-13638 | Google Chrome up to 142.0.7444.175 Media Stream use after free (ID 448046)

A vulnerability classified as critical was found in Google Chrome. Affected is an unknown function of the component Media Stream.

  

CVE-2025-13639 | Google Chrome up to 142.0.7444.175 WebRTC access control (ID 448408)

A vulnerability, which was classified as critical, has been found in Google Chrome. Affected by this vulnerability is an unknown

  

CVE-2025-13720 | Google Chrome up to 142.0.7444.175 Loader type conversion (ID 457818)

A vulnerability, which was classified as critical, was found in Google Chrome. Affected by this issue is some unknown functionality

  

CVE-2025-13632 | Google Chrome up to 142.0.7444.175 DevTools sandbox (ID 439058)

A vulnerability has been found in Google Chrome and classified as critical. This affects an unknown part of the component

  

CVE-2025-65379 | PHPGurukul Billing System 1.0 password-recovery.php username/mobileno sql injection

A vulnerability was found in PHPGurukul Billing System 1.0 and classified as critical. This vulnerability affects unknown code of the

  

CVE-2025-13634 | Google Chrome up to 142.0.7444.175 on Windows Downloads Remote Code Execution (ID 429140)

A vulnerability was found in Google Chrome on Windows. It has been classified as critical. This issue affects some unknown

  

CVE-2025-13635 | Google Chrome up to 142.0.7444.175 Downloads ui layer (ID 405727)

A vulnerability was found in Google Chrome. It has been declared as problematic. Impacted is an unknown function of the

  

CVE-2025-13640 | Google Chrome up to 142.0.7444.175 Passwords improper authentication (ID 452071)

A vulnerability was found in Google Chrome. It has been rated as critical. The affected element is an unknown function

  

CVE-2025-13721 | Google Chrome up to 142.0.7444.175 v8 race condition (ID 355120)

A vulnerability categorized as problematic has been discovered in Google Chrome. The impacted element is an unknown function of the

  

CVE-2025-61729 | crypto-x509 up to 1.24.10/1.25.4 on Go HostnameError.Error resource consumption

A vulnerability identified as problematic has been detected in crypto-x509 up to 1.24.10/1.25.4 on Go. This affects the function HostnameError.Error.

  

CVE-2025-65877 | Lvzhou CMS Title sql injection

A vulnerability labeled as critical has been found in Lvzhou CMS. This impacts an unknown function of the component com.wanli.lvzhoucms.service.ContentService#findPage.

  

CVE-2025-66468 | aimeos ai-cms-grapesjs cross site scripting (GHSA-424m-fj2q-g7vg)

A vulnerability marked as problematic has been reported in aimeos ai-cms-grapesjs. Affected is an unknown function. This manipulation causes cross

  

CVE-2025-13486 | Advanced Custom Fields Plugin up to 0.9.1.1 on WordPress prepare_form Remote Code Execution

A vulnerability described as critical has been identified in Advanced Custom Fields Plugin up to 0.9.1.1 on WordPress. Affected by

  

CVE-2025-65105 | Apptainer up to 1.4.4 symlink (GHSA-j3rw-fx6g-q46j)

A vulnerability was found in Apptainer up to 1.4.4. It has been classified as critical. The affected element is an

  

CVE-2025-66416 | modelcontextprotocol python-sdk up to 1.22.x insecure default initialization of resource

A vulnerability was found in modelcontextprotocol python-sdk up to 1.22.x. It has been declared as problematic. The impacted element is

  

CVE-2025-12630 | Upload.am Plugin up to 1.0.0 on WordPress AJAX Request authorization

A vulnerability was found in Upload.am Plugin up to 1.0.0 on WordPress. It has been rated as problematic. This affects

  

CVE-2025-65358 | edoc-doctor-appointment-system 1.0.1 /admin/appointment.php docid sql injection

A vulnerability categorized as critical has been discovered in edoc-doctor-appointment-system 1.0.1. This impacts an unknown function of the file /admin/appointment.php.

  

CVE-2025-65656 | Dcat-Admin up to 2.2.3-beta VersionManager.php file inclusion

A vulnerability identified as problematic has been detected in Dcat-Admin up to 2.2.3-beta. Affected is an unknown function of the

  

CVE-2025-13827 | Mautic up to 4.4.17/5.2.8/6.0.6 GrapesJS Builder unrestricted upload (GHSA-5xw2-57jx-pgjp)

A vulnerability labeled as critical has been found in Mautic up to 4.4.17/5.2.8/6.0.6. Affected by this vulnerability is an unknown

  

CVE-2025-64750 | sylabs singularity up to 4.1.10/4.3.4 /proc symlink (GHSA-fh74-hm69-rqjw)

A vulnerability marked as critical has been reported in sylabs singularity up to 4.1.10/4.3.4. Affected by this issue is some

  

CVE-2025-66399 | Cacti up to 1.2.28 SNMP command injection (GHSA-c7rr-2h93-7gjf)

A vulnerability described as critical has been identified in Cacti up to 1.2.28. This affects an unknown part of the

  

CVE-2025-60736 | code-projects Online Medicine Guide 1.0 /login.php upass sql injection

A vulnerability classified as critical has been found in code-projects Online Medicine Guide 1.0. This vulnerability affects unknown code of

  

CVE-2025-58113 | PDF-XChange Editor 10.7.3.401 EMF File Parser out-of-bounds (TALOS-2025-2280)

A vulnerability classified as problematic was found in PDF-XChange Editor 10.7.3.401. This issue affects some unknown processing of the component

  

CVE-2025-58386 | Terminalfour up to 8.4.1.1 User Management userLevel improper authorization

A vulnerability, which was classified as critical, has been found in Terminalfour up to 8.4.1.1. Impacted is an unknown function

  

CVE-2025-13828 | Mautic up to 4.4.17/5.2.8/6.0.6 authorization (GHSA-3fq7-c5m8-g86x)

A vulnerability, which was classified as critical, was found in Mautic up to 4.4.17/5.2.8/6.0.6. The affected element is an unknown

  

CVE-2025-60854 | D-Link R15 up to 1.20.01 Password Change model name command injection

A vulnerability has been found in D-Link R15 up to 1.20.01 and classified as critical. The impacted element is an

  

CVE-2025-66409 | Espressif ESP-IDF up to 5.1.6/5.2.6/5.3.4/5.4.3/5.5.1 out-of-bounds

A vulnerability was found in Espressif ESP-IDF up to 5.1.6/5.2.6/5.3.4/5.4.3/5.5.1 and classified as problematic. This affects an unknown function. Such

  

CVE-2025-66414 | modelcontextprotocol typescript-sdk up to 1.23.x insecure default initialization of resource

A vulnerability was found in modelcontextprotocol typescript-sdk up to 1.23.x. It has been classified as problematic. This impacts an unknown

  

CVE-2025-65215 | SourceCodester Web-based Pharmacy Product Management System 1.0 add-supplier.php Name cross site scripting

A vulnerability was found in SourceCodester Web-based Pharmacy Product Management System 1.0. It has been declared as problematic. Affected is

  

CVE-2025-65881 | SourceCodester Zoo Management System 1.0 /classes/Login.php cross site scripting

A vulnerability was found in SourceCodester Zoo Management System 1.0. It has been rated as problematic. Affected by this vulnerability

  

CVE-2025-65187 | CiviCRM up to 6.6 Accounting Batches cross site scripting

A vulnerability categorized as problematic has been discovered in CiviCRM up to 6.6. Affected by this issue is some unknown

  

CVE-2025-52622 | HCL BigFix SaaS Remediate insecure default initialization of resource (KB0127171)

A vulnerability identified as critical has been detected in HCL BigFix SaaS Remediate. This affects an unknown part. This manipulation

  

CVE-2025-65844 | EverShop 2.0.1 /api/images unrestricted upload (Issue 819)

A vulnerability labeled as critical has been found in EverShop 2.0.1. This vulnerability affects unknown code of the file /api/images.

  

CVE-2025-65186 | Grav CMS 1.7.49 Page Editor cross site scripting

A vulnerability marked as problematic has been reported in Grav CMS 1.7.49. This issue affects some unknown processing of the

  

CVE-2025-64070 | SourceCodester Student Grades Management System 1.0 Add New Subject Description cross site scripting

A vulnerability described as problematic has been identified in SourceCodester Student Grades Management System 1.0. Impacted is an unknown function.

  

CVE-2025-66454 | ArcadeAI arcade-mcp up to 1.5.3 hard-coded key

A vulnerability classified as critical has been found in ArcadeAI arcade-mcp up to 1.5.3. The affected element is an unknown

  

CVE-2025-34352 | JumpCloud Remote Assist up to 0.316.x on Windows DeleteFileW temp file

A vulnerability classified as critical was found in JumpCloud Remote Assist up to 0.316.x on Windows. The impacted element is

  

CVE-2025-66460 | lookyloo up to 1.35.2 cross site scripting

A vulnerability, which was classified as problematic, has been found in lookyloo up to 1.35.2. This affects an unknown function.

  

CVE-2025-66459 | lookyloo up to 1.35.2 Error cross site scripting

A vulnerability, which was classified as problematic, was found in lookyloo up to 1.35.2. This impacts an unknown function. Such

  

CVE-2025-66458 | lookyloo up to 1.35.2 cross site scripting

A vulnerability has been found in lookyloo up to 1.35.2 and classified as problematic. Affected is an unknown function. Performing

  

CVE-2025-65896 | long2ice assyncmy up to 0.2.10 Dict Key sql injection

A vulnerability was found in long2ice assyncmy up to 0.2.10 and classified as critical. Affected by this vulnerability is an

  

CVE-2025-10304 | Everest Backup Plugin up to 2.3.8 on WordPress process_status_unlink authorization

A vulnerability was found in Everest Backup Plugin up to 2.3.8 on WordPress. It has been classified as critical. Affected

  

CVE-2025-57850 | codeready-ws /etc/passwd permission

A vulnerability was found in codeready-ws. It has been declared as critical. This affects an unknown part of the file

  

CVE-2025-13510 | Iskra iHUB/iHUB Lite missing authentication (icsa-25-336-02)

A vulnerability was found in Iskra iHUB and iHUB Lite. It has been rated as critical. This vulnerability affects unknown

  

CVE-2025-13658 | Industrial Video & Control Longwatch up to 6.334 HTTP GET Request code injection (icsa-25-336-01)

A vulnerability categorized as critical has been discovered in Industrial Video & Control Longwatch up to 6.334. This issue affects

  

CVE-2025-13372 | Django up to 4.2.26/5.1.14/5.2.8 FilteredRelation QuerySet.annotate/QuerySet.alias sql injection (EUVD-2025-200249)

A vulnerability classified as critical has been found in Django up to 4.2.26/5.1.14/5.2.8. Affected by this vulnerability is the function

  

CVE-2025-64460 | Django up to 4.2.26/5.1.14/5.2.8 algorithmic complexity (EUVD-2025-200248)

A vulnerability classified as problematic was found in Django up to 4.2.26/5.1.14/5.2.8. Affected by this issue is some unknown functionality

  

CVE-2025-59703 | Entrust nShield Connect XC/nShield 5c/nShield HSMi up to 13.6.11/13.7

A vulnerability, which was classified as problematic, has been found in Entrust nShield Connect XC, nShield 5c and nShield HSMi

  

CVE-2025-59704 | Entrust nShield Connect XC/nShield 5c/nShield HSMi up to 13.6.11/13.7 BIOS Menu Local Privilege Escalation

A vulnerability, which was classified as critical, was found in Entrust nShield Connect XC, nShield 5c and nShield HSMi up