CVE-2025-2124 Control iD RH iD API change_password cross site scripting

A vulnerability, which was classified as problematic, was found in Control iD RH iD 25.2.25.0. This affects an unknown part of the file /v2/customerdb/person.svc/changepassword of the component API Handler. The manipulation of the argument message leads to cross site scripting. It is possible to...

Jenkins cross-site request forgery (CSRF) vulnerability

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not require POST requests for the HTTP endpoint toggling collapsed/expanded status of sidepanel widgets e.g., Build Queue and Build Executor Status widgets, resulting in a cross-site request forgery CSRF vulnerability. This vulnerability...

Stack Overflow

github.com/rancher/rancher is vulnerable to Stack Overflow. The vulnerability is due to improper input handling in Rancher’s /v3-public/authproviders API endpoint, which allows a malicious user to trigger a stack overflow, leading to a crash and denial of service DoS...

CVE-2024-47259

Girishunawane, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API dynamicoverlay.cgi did not have a sufficient input validation allowing for a possible command injection leading to being able to transfer files to the Axis device with the purpose to exhaust system resources. Ax...

CVE-2025-25301 Rembg allows SSRF via /api/remove

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg...

CVE-2025-25301 Rembg allows SSRF via /api/remove

Rembg is a tool to remove images background. In Rembg 2.0.57 and earlier, the /api/remove endpoint takes a URL query parameter that allows an image to be fetched, processed and returned. An attacker may be able to query this endpoint to view pictures hosted on the internal network of the rembg...

CVE-2025-25952

An Insecure Direct Object References IDOR in the component /getStudemtAllDetailsById?studentId=XX of Serosoft Solutions Pvt Ltd Academia Student Information System SIS EagleR v1.0.118 allows attackers to access sensitive user information via a crafted API request...

CVE-2025-25952

Summary of CVE-2025-25952 (CISA/CVE listing) Affected product: Serosoft Solutions Pvt Ltd Academia Student Information System (SIS) EagleR, v1.0.118. Vulnerability: Insecure Direct Object References (IDOR) in the API endpoint "/getStudemtAllDetailsById?studentId=XX". Exploitation could allow an a...

CVE-2024-12434

CVE-2024-12434 concerns the SureMembers WordPress plugin (versions up to 1.10.6). The issue enables sensitive information exposure via the REST API, allowing unauthenticated attackers to extract restricted content. Wordfence’s vulnerability entry confirms the affected software and that a fix is a...

EUVD-2025-5077

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

CVE-2025-27364

MITRE Caldera vulnerability CVE-2025-27364 affects Caldera server in versions up to 4.2.0 and 5.0.0 prior to the commit 35bc06e. It is a Remote Code Execution (RCE) in the server’s dynamic agent (implant) compilation feature, allowing a remote attacker to run arbitrary code on the Caldera host vi...

CVE-2025-0352

Rapid Response Monitoring My Security Account App utilizes an API that could be exploited by an attacker to modify request data, potentially causing the API to return information about other users...

CVE-2025-0352

Rapid Response Monitoring My Security Account App utilizes an API that could be exploited by an attacker to modify request data, potentially causing the API to return information about other users...

CVE-2025-0352

CVE-2025-0352 concerns the Rapid Response Monitoring My Security Account App. The vulnerability arises from an API that could be tampered to modify request data, potentially causing the API to return information about other users. Publicly cited sources (NVD, Red Hat, CVE list, CISA ICS advisory)...

ALSA-2025:1739 Important: postgresql:15 security update

PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation CVE-2025-1094 For more details about the security issues, including the impact, a CVSS score,...

Important: postgresql:16 security update

PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation CVE-2025-1094 For more details about the security issues, including the impact, a CVSS score,...

ALSA-2025:1738 Important: libpq security update

The libpq package provides the PostgreSQL client library, which allows client programs to connect to PostgreSQL servers. Security Fixes: postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation CVE-2025-1094 For more details about the security...

ALSA-2025:1740 Important: postgresql:16 security update

PostgreSQL is an advanced object-relational database management system DBMS. Security Fixes: postgresql: PostgreSQL quoting APIs miss neutralizing quoting syntax in text that fails encoding validation CVE-2025-1094 For more details about the security issues, including the impact, a CVSS score,...

CVE-2025-1007

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/namespace/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in...

CVE-2025-1007

In OpenVSX version v0.9.0 to v0.20.0, the /user/namespace/namespace/details API allows a user to edit all namespace details, even if the user is not a namespace Owner or Contributor. The details include: name, description, website, support link and social media links. The same issues existed in...