Security Bulletin: Multiple vulnerabilities in IBM Disconnected Log Collector

Summary Multiple vulnerabilities were addressed in IBM Disconnected Log Collector version 2.0.0. Vulnerability Details CVEID:CVE-2025-48734 DESCRIPTION: Improper Access Control vulnerability in Apache Commons. A special BeanIntrospector class was added in version 1.9.2. This can be used to stop...

’Tis the Season to Be Cyber-Wary: How Thales Protects Against Account Takeover During Peak Shopping Season

The holiday shopping season is the busiest time of year for online retailers, and increasingly the most dangerous. As traffic surges and customers rush to place orders, cybercriminals use the distraction and volume to blend in. Account Takeover ATO attacks spike sharply in November and December,...

CLSA-2025-1764716872 tomcat: Fix of CVE-2025-31651

CVE-2025-31651: fix improper neutralization of escape, meta, or control sequences...

CVE-2025-66295

Grav is a file-based Web platform. Prior to 1.8.0-beta.27, when a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path...

Directory Traversal

Overview unstructured is an A library that prepares raw documents for downstream ML tasks. Affected versions of this package are vulnerable to Directory Traversal via the partitionmsg function’s handling of attachment filenames in email MSG files. An attacker can exploit this vulnerability by...

Allocation of Resources Without Limits or Throttling

Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via algorithmic complexity in the SQL parsing logic. The parser fails to enforce limits when handling deeply nested tuples or unusually large token sequences, allowing an attacker to...

Directory Traversal

Overview rxiv-maker is a Write scientific preprints in Markdown. Generate publication-ready PDFs efficiently. Affected versions of this package are vulnerable to Directory Traversal due to insufficient sanitization of GitHub name input. The GitHub name validation logic fails to strip path...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal due to missing canonicalization of destination file paths during model downloads. The createNewFile function in pkg/agent/storage/https.go previously used the fileFullName argument directly without cleaning, allowing...

Directory Traversal

Overview gapless-crypto-clickhouse is a ClickHouse-based cryptocurrency data collection with zero-gap guarantee. 22x faster via Binance public repository with persistent database storage, USDT-margined futures support, and production-ready ReplacingMergeTree schema. Affected versions of this...

Directory Traversal

Overview gapless-crypto-data is a Cryptocurrency OHLCV data collection with gap-free guarantee. Retrieves microstructure-enriched kline data from Binance Public Data Repository with automatic gap detection and filling. Affected versions of this package are vulnerable to Directory Traversal due to...

Directory Traversal

Overview flamehaven-filesearch is a FLAMEHAVEN FileSearch - Open source semantic document search with API authentication powered by Google Gemini Affected versions of this package are vulnerable to Directory Traversal due to insufficient validation and sanitization of user-controlled filenames in...

GHSA-H756-WH59-HHJV Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain...

Grav vulnerable to Path traversal / arbitrary YAML write via user creation leading to Account Takeover / System Corruption

Summary When a user with privilege of user creation creates a new user through the Admin UI and supplies a username containing path traversal sequences for example ..\Nijat or ../Nijat, Grav writes the account YAML file to an unintended path outside user/accounts/. The written YAML can contain...

Directory Traversal

Overview @fastify/reply-from is a forward your HTTP request to another server, for fastify Affected versions of this package are vulnerable to Directory Traversal via the reply.from function. An attacker can access unauthorized routes by crafting a malicious URL containing encoded directory...

A Wolf in Sheep's Clothing: Bypassing Commercial LLM Guardrails Via Harmless Prompt Weaving and Adaptive Tree Search

Large language models LLMs remain vulnerable to jailbreak attacks that bypass safety guardrails to elicit harmful outputs. Existing approaches overwhelmingly operate within the prompt-optimization paradigm: whether through traditional algorithmic search or recent agent-based workflows, the...

Learning the Wrong Lessons: Syntactic-Domain Spurious Correlations in Language Models

Whitepaper from researchers at MIT, Northeastern University, and Meta. For an LLM to correctly respond to an instruction it must understand both the semantics and the domain i.e., subject area of a given task-instruction pair. However, syntax can also convey implicit information Recent work shows...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: tomcat (UTSA-2025-991028)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991028 advisory. Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat...

openSUSE 16 Security Update : tomcat11 (openSUSE-SU-2025-20106-1)

The remote openSUSE 16 host has packages installed that are affected by multiple vulnerabilities as referenced in the openSUSE-SU-2025-20106-1 advisory. Update to Tomcat 11.0.13: - CVE-2025-55752: Fixed directory traversal via rewrite with possible RCE if PUT is enabled bsc1252753. -...

Nutanix AOS : Multiple Vulnerabilities (NXSA-AOS-6.10.1.11)

The version of AOS installed on the remote host is prior to 6.10.1.11. It is, therefore, affected by multiple vulnerabilities as referenced in the NXSA-AOS-6.10.1.11 advisory. - Improper Neutralization of Escape, Meta, or Control Sequences vulnerability in Apache Tomcat. For a subset of unlikely...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the RemoveChunk function and the FileMd5 parameter. An attacker can remove arbitrary files and folders from the server by supplying crafted input. Details A Directory Traversal attack also known as path traversal...