CVE-2025-12427 YITH WooCommerce Wishlist <= 4.10.0 - Unauthenticated Insecure Direct Object Reference to Unauthenticated Wishlist Rename

The YITH WooCommerce Wishlist plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.10.0 via the REST API endpoint and AJAX handler due to missing validation on user-controlled keys. This makes it possible for unauthenticated attackers to...

CVE-2025-3717

When using the Grafana Snowflake Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is n...

CVE-2025-41116

When using the Grafana Databricks Datasource Plugin, if Oauth passthrough is enabled on the datasource, and multiple users are using the same datasource at the same time on a single Grafana instance, it could result in the wrong user identifier being used, and information for which the viewer is...

Insecure Temporary File Usage

llama-index-core is vulnerable to Insecure Temporary File Usage. The vulnerability is due to the use of a predictable hardcoded cache directory /tmp/llamaindex in getcachedir, where attackers on multi-user Linux systems can steal cached model data, poison embeddings, or exploit symlink race...

CVE-2025-41116

CVE-2025-41116 affects Grafana Databricks Datasource Plugin. When Oauth passthrough is enabled and multiple users share a single Grafana instance/datasource, the wrong user identifier can be used, potentially returning data the viewer is not authorized to see. Affected versions: 1.6.0 up to, but ...

Redis: Redis: Authenticated users can execute LUA scripts as a different user

A code injection vulnerability in Redis Lua scripting where an authenticated user can craft a Lua script to manipulate objects and potentially execute code in another user’s context...

curl: curl’s persistence files inherit world-readable/writable perms from umask, leaking and tampering with cookies/HSTS/Alt-Svc caches

Executive Summary Curlfopen clones the permissions of any pre-existing persistence file when creating its temporary file. When the persistence file does not exist, it first creates one with the process umask typically 022, i.e., 0644. That mode is then copied to the temp file via 0600 | sb.stmode...

GHSA-RG9H-VX28-XXP5 llama-index has Insecure Temporary File

The llamaindex library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, dat...

llama-index has Insecure Temporary File

The llamaindex library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, dat...

EUVD-2009-3351

Malware in sbrugna...

EUVD-2021-14589

Malware in sbrugna...

EUVD-2007-2625

Malware in sbrugna...

EUVD-2017-11786

Malware in sbrugna...

EUVD-2021-24159

Malware in sbrugna...

EUVD-2020-16575

Malware in sbrugna...

Pilot Contamination Attacks Detection with Machine Learning for Multi-User Massive MIMO

Massive multiple-input multiple-output MMIMO is essential to modern wireless communication systems, like 5G and 6G, but it is vulnerable to active eavesdropping attacks. One type of such attack is the pilot contamination attack PCA, where a malicious user copies pilot signals from an authentic us...

EUVD-2024-34963

Malicious code in bioql PyPI...

EUVD-2023-32624

Malicious code in bioql PyPI...

EUVD-2025-31429

Malicious code in bioql PyPI...

EUVD-2023-53247

Malicious code in bioql PyPI...