CVE-2025-41701

Beckhoff TwinCAT 3 Engineering contains a vulnerability (CVE-2025-41701) where deserialization of untrusted data can be triggered by a manipulated project file, allowing an unauthenticated local attacker to execute arbitrary commands in the user’s context. The available connected sources confirm ...

BIT-ARGO-CD-2025-55190 Argo CD: Project API Token Exposes Repository Credentials

Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. In versions 2.13.0 through 2.13.8, 2.14.0 through 2.14.15, 3.0.0 through 3.0.12 and 3.1.0 through 3.1.1, API tokens with project-level permissions are able to retrieve sensitive repository credentials usernames, passwords...

PT-2025-36860

Name of the Vulnerable Software and Affected Versions: Local Security Authority Subsystem Service affected versions not specified Description: An elevation-of-privilege vulnerability allows attackers to affect the system. Recommendations: At the moment, there is no information about a newer versi...

This Week in Spring - September 9th, 2025

Hi, Spring fans! Welcome to another installment of This Week in Spring! I am home, ensconced in my studio here in somewhat sunny San Francisco, California, relaxing and trying to catch up on stuff I missed. As always, there's a ton! So let's dive right into it. Some of the amazing features that...

PT-2025-36688

Name of the Vulnerable Software and Affected Versions: The product name cannot be determined. affected versions not specified Description: An unauthenticated attacker can trick a local user into executing arbitrary commands by opening a deliberately manipulated project file with an affected...

GO-2025-3934 Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd

Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd...

GO-2025-3937 Memos Vulnerable to Stored Cross-Site Scripting in github.com/usememos/memos

Memos Vulnerable to Stored Cross-Site Scripting in github.com/usememos/memos...

GO-2025-3936 Memos Vulnerable to Path Traversal via the CreateResource Endpoint in github.com/usememos/memos

Memos Vulnerable to Path Traversal via the CreateResource Endpoint in github.com/usememos/memos...

GO-2025-3923 Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher

Rancher affected by unauthenticated Denial of Service in github.com/rancher/rancher. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanners,...

CVE-2025-10091

A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possibl...

CVE-2025-10091

A vulnerability has been found in Jinher OA up to 1.2. This affects an unknown function of the file /c6/Jhsoft.Web.projectmanage/ProjectManage/XmlHttp.aspx/?Type=add of the component XML Handler. The manipulation leads to xml external entity reference. Remote exploitation of the attack is possibl...

CVE-2025-10088

A vulnerability was detected in SourceCodester Time Tracker 1.0. The affected element is an unknown function of the file /index.html. Performing manipulation of the argument project-name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be us...

CVE-2025-10088

CVE-2025-10088 affects SourceCodester Time Tracker 1.0. An unknown function in /index.html is vulnerable when manipulating the project-name parameter, enabling cross-site scripting that could be triggered remotely. Exploit is publicly available (PoC). A practical interim mitigation from PT-2025-3...

CVE-2025-10088 SourceCodester Time Tracker index.html cross site scripting

A vulnerability was detected in SourceCodester Time Tracker 1.0. The affected element is an unknown function of the file /index.html. Performing manipulation of the argument project-name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be us...

CVE-2025-10088 SourceCodester Time Tracker index.html cross site scripting

A vulnerability was detected in SourceCodester Time Tracker 1.0. The affected element is an unknown function of the file /index.html. Performing manipulation of the argument project-name results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be us...

PT-2025-36446

Name of the Vulnerable Software and Affected Versions: SourceCodester Time Tracker version 1.0 Description: A cross-site scripting XSS vulnerability exists due to manipulation of the project-name argument. The vulnerability affects an unknown function within the /index.html file. The exploit is...

PT-2025-36652

Argo CD's Project API Token Exposes Repository Credentials in github.com/argoproj/argo-cd...

PT-2025-36655

Memos Vulnerable to Stored Cross-Site Scripting in github.com/usememos/memos...

PT-2025-36654

Memos Vulnerable to Path Traversal via the CreateResource Endpoint in github.com/usememos/memos...

CVE-2025-48042

Incorrect Authorization vulnerability in ash-project ash allows Exploiting Incorrectly Configured Access Control Security Levels. This vulnerability is associated with program files lib/ash/actions/create/bulk.ex, lib/ash/actions/destroy/bulk.ex, lib/ash/actions/update/bulk.ex and program routine...