Improper Validation of Syntactic Correctness of Input

Overview uv is an An extremely fast Python package and project manager, written in Rust. Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input in ZIP archives filenames processing. An attacker can cause malicious code to be executed or files to ...

GHSA-PQHF-P39G-3X64 uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem: 1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields...

uv allows ZIP payload obfuscation through parsing differentials

Impact In versions 0.9.5 and earlier of uv, ZIP archives were handled in a manner that enabled two parsing differentials against other components of the Python packaging ecosystem: 1. Central directory entries in a ZIP archive can contain comment fields. However, uv would assume that these fields...

CVE-2025-64195

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion.This issue affects Eduma: from n/a through = 5.7.6...

CVE-2025-64284 WordPress Majestic Support plugin <= 1.0.7 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in Majestic Support Majestic Support majestic-support allows PHP Local File Inclusion.This issue affects Majestic Support: from n/a through = 1.0.7...

CVE-2025-64284

CVE-2025-64284 corresponds to a Local File Inclusion vulnerability in the WordPress Majestic Support plugin. The issue stems from improper control of filenames for include/require statements, enabling PHP Local File Inclusion in Majestic Support versions up to 1.1.1 (and potentially 1.1.2 as late...

CVE-2025-64195 WordPress Eduma theme <= 5.7.6 - Local File Inclusion vulnerability

Improper Control of Filename for Include/Require Statement in PHP Program 'PHP Remote File Inclusion' vulnerability in ThimPress Eduma eduma allows PHP Local File Inclusion.This issue affects Eduma: from n/a through = 5.7.6...

CVE-2025-64195

CVE-2025-64195 affects the WordPress Eduma theme (Eduma) up to version 5.7.6, due to improper control of the filename in include/require statements, enabling Local File Inclusion (LFI). The issue is documented across multiple sources (NVD/Red Hat/CVE records) as Eduma 5.7.6) to mitigate the vuln...

WordPress plugin Eduma 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

WordPress plugin SmartMag 安全漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security...

WordPress plugin Majestic Support 安全漏洞

WordPress and the WordPress plugin are products of the WordPress Foundation, a blogging platform developed in the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A security vulnerability exists in...

PT-2025-44242

Name of the Vulnerable Software and Affected Versions ThimPress Eduma versions through 5.7.6 Description The software contains a flaw related to improper control of filename for include/require statements, specifically a PHP Local File Inclusion issue. This allows for the inclusion of local files...

FreeBSD : privatebin - Missing HTML sanitisation of attached filename in file size hint enabling persistent XSS (a8dacd4b-b416-11f0-9f23-ecf4bbefc954)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the a8dacd4b-b416-11f0-9f23-ecf4bbefc954 advisory. PrivateBin reports: We've identified an HTML injection/XSS vulnerability in the PrivateBin service that...

CVE-2025-62796 PrivateBin persistent HTML injection in attachment filename enables redirect and defacement

PrivateBin is an online pastebin where the server has zero knowledge of pasted data. Versions 1.7.7 through 2.0.1 allow persistent HTML injection via the unsanitized attachment filename attachmentname when attachments are enabled. An attacker can modify attachmentname before encryption so that,...

GHSA-867C-P784-5Q6G PrivateBin is missing HTML sanitization of attached filename in file size hint

We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. Below are the technical details, PoC, reproduction steps, impact, and mitigation recommendations. Recommend action: As the vulnerability has bee...

PrivateBin is missing HTML sanitization of attached filename in file size hint

We’ve identified an HTML injection/XSS vulnerability in PrivateBin service that allows the injection of arbitrary HTML markup via the attached filename. Below are the technical details, PoC, reproduction steps, impact, and mitigation recommendations. Recommend action: As the vulnerability has bee...

CVE-2025-40067 fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist

In the Linux kernel, the following vulnerability has been resolved: fs/ntfs3: reject index allocation if $BITMAP is empty but blocks exist Index allocation requires at least one bit in the $BITMAP attribute to track usage of index entries. If the bitmap is empty while index blocks are already...

CVE-2025-40067

CVE-2025-40067 affects the Linux kernel’s ntfs3 filesystem. It describes a condition where index allocations can occur with an empty $BITMAP bitmap while index blocks exist, causing on-disk corruption. Triggered by a malformed NTFS image during a long filename rename, where the empty bitmap allow...

Security update 5.1.1 for Multi-Linux Manager Client Tools

This update fixes the following issues: dracut-saltboot was updated from version 0.1 to version 1.0.0: Version 1.0.0 bugs fixed: Reboot on salt key timeout bsc1237495 Fixed parsing files with space in the name bsc1252100 golang-github-prometheus-alertmanager was updated from version 0.26.0 to...

CVE-2025-12055

HYDRA X, MIP 2 and FEDRA 2 of MPDV Mikrolab GmbH suffer from an unauthenticated local file disclosure vulnerability in all releases until Maintenance Pack 36 with Servicepack 8 week 36/2025, which allows an attacker to read arbitrary files from the Windows operating system. The "Filename" paramet...