PYSEC-2025-85

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values.In Airflow 3.0.3, this model was unintentional...

CVE-2025-54831 Apache Airflow: Connection sensitive details exposed to users with READ permissions

Apache Airflow 3 introduced a change to the handling of sensitive information in Connections. The intent was to restrict access to sensitive connection fields to Connection Editing Users, effectively applying a "write-only" model for sensitive values. In Airflow 3.0.3, this model was...

CVE-2025-59833 FlagForgeCTF Hint Exposure via API

Flag Forge is a Capture The Flag CTF platform. In versions from 2.1.0 to before 2.3.0, the API endpoint GET /api/problems/:id returns challenge hints in plaintext within the question object, regardless of whether the user has unlocked them via point deduction. Users can view all hints for free,...

PT-2025-37257

Name of the Vulnerable Software and Affected Versions: AIRI versions 0.7.2-beta.2 Description: AIRI is a self-hosted, artificial intelligence based Grok Companion. The application processes Markdown content using the useMarkdown composable and renders it directly into the DOM using v-html. An...

PT-2025-35554

Name of the Vulnerable Software and Affected Versions: E3 Site Supervisor Control versions prior to 2.31F01 Description: The RCI service in E3 Site Supervisor Control contains an API call that allows reading user information, including all usernames and password hashes for application services...

Linux Distros Unpatched Vulnerability : CVE-2023-0223

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions starting from 15.5 before 15.7.8, all versions starting from 15.8 before 15.8.4, all versions...

CVE-2025-8415

A vulnerability was found in the Cryostat HTTP API. Cryostat's HTTP API binds to all network interfaces, allowing possible external visibility and access to the API port if Network Policies are disabled, allowing an unauthenticated, malicious attacker to jeopardize the environment. Mitigation...

CVE-2025-9074

CVE-2025-9074 : Docker Desktop exposes the Docker Engine API on the internal subnet (example: 192.168.65.7:2375) without authentication, enabling a container to create a privileged container that mounts host filesystem access. Public writeups and exploits in the connected literature demonstrate a...

PT-2025-33136 · WordPress · Ppwp – Password Protect Pages

Name of the Vulnerable Software and Affected Versions: PPWP – Password Protect Pages WordPress plugin versions prior to 1.9.11 Description: The PPWP – Password Protect Pages WordPress plugin prior to version 1.9.11 allows site content to be placed behind password authorization; however, users wit...

Linux Distros Unpatched Vulnerability : CVE-2025-7001

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed...

CVE-2025-7001 Insufficient Granularity of Access Control in GitLab

An issue has been discovered in GitLab CE/EE affecting all versions from 15.0 before 18.0.5, 18.1 before 18.1.3, and 18.2 before 18.2.1 that could have allowed priviledged users to access certain resourcegroup information through the API which should have been unavailable...

CVE-2025-6227

Mattermost versions 10.5.x = 10.5.7, 9.11.x = 9.11.16 fail to negotiate a new token when accepting the invite which allows a user that intercepts both invite and password to send synchronization payloads to the server that originally created the invite via the REST API...

PT-2025-30028 · Mattermost · Mattermost

Name of the Vulnerable Software and Affected Versions: Mattermost versions 10.5.x through 10.5.7 Mattermost versions 9.11.x through 9.11.16 Description: Mattermost fails to negotiate a new token when accepting an invite. This allows a user who intercepts both the invite and the password to send...

CVE-2025-53671

Jenkins Nouvola DiveCloud Plugin 1.08 and earlier does not mask DiveCloud API Keys and Credentials Encryption Keys displayed on the job configuration form, increasing the potential for attackers to observe and capture them...

CVE-2025-7204

In ConnectWise PSA versions older than 2025.9, a vulnerability exists where authenticated users could gain access to sensitive user information. Specific API requests were found to return an overly verbose user object, which included encrypted password hashes for other users. Authenticated users...

CVE-2025-5920

CVE-2025-5920 affects the WordPress plugin Sharable Password Protected Posts (versions

📄 Microsoft SharePoint 2019 NTLM Authentication Information Disclosure

Microsoft SharePoint Central Administration improperly exposes NTLM-authenticated endpoints to low-privileged or even brute-forced domain accounts. Once authenticated, an attacker can access the api/web endpoint, disclosing rich metadata about the SharePoint site, including user group...

CVE-2025-5823

CVE-2025-5823 affects Autel MaxiCharger AC Wallbox Commercial. The vulnerability lies in the Autel Technician API where an exposed dangerous method allows an attacker to disclose sensitive information, notably credentials/serial numbers, leading to potential further compromise. The NVD/CVE entrie...

CVE-2025-49142

Nautobot is a Network Source of Truth and Network Automation Platform. All users of Nautobot versions prior to 2.4.10 or prior to 1.6.32 are potentially affected. Due to insufficient security configuration of the Jinja2 templating feature used in computed fields, custom links, etc. in Nautobot, a...

HPE Aruba Networking Private 5G Core 安全漏洞

HPE Aruba Networking Private 5G Core is a 5G core from HPE America. A security vulnerability exists in HPE Aruba Networking Private 5G Core that stems from an API that could expose sensitive information and could result in the download of protected system files...