CVE-2025-51605

An issue was discovered in Shopizer 3.2.7. The server's CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling Access-Control-Allow-Credentials: true. This allows any malicious origin to make...

CVE-2025-55420

A Reflected Cross Site Scripting XSS vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input...

PT-2025-34373 · Shopizer · Shopizer

Name of the Vulnerable Software and Affected Versions: Shopizer version 3.2.7 Description: The server’s Cross-Origin Resource Sharing CORS implementation reflects the client-supplied Origin header verbatim into Access-Control-Allow-Origin without any whitelist validation, while also enabling...

CVE-2025-51605

CVE-2025-51605 affects Shopizer 3.2.7. The server’s CORS implementation reflects the Origin header verbatim into Access-Control-Allow-Origin and enables Access-Control-Allow-Credentials: true, allowing authenticated cross-origin requests and read of sensitive responses. Supported by multiple sour...

CVE-2025-57768 Stored XSS in “hours” fields when creating or editing an issue, using SQLite database

Phproject is a high performance full-featured project management system. From 1.8.0 to before 1.8.3, a Stored Cross-Site Scripting XSS vulnerability exists in the Planned Hours field when creating a new project. When sending a POST request to /issues/new/, the value provided in the Planned Hours...

CVE-2025-55420

A Reflected Cross Site Scripting XSS vulnerability was found in /index.php in FoxCMS v1.2.6. When a crafted script is sent via a GET request, it is reflected unsanitized into the HTML response. This permits execution of arbitrary JavaScript code when a logged-in user submits the malicious input...

CVE-2025-55420

FoxCMS v1.2.6 is affected by a Reflected XSS in the /index.php endpoint. The issue stems from unsanitized reflection of a crafted script via a GET request, enabling execution of arbitrary JavaScript when a logged-in user submits the malicious input. CVSSv3.1 base score 8.8 (HIGH) with NETWORK att...

CVE-2025-52621

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning...

CVE-2025-52621

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning...

CVE-2025-52621 HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning

HCL BigFix SaaS Authentication Service is vulnerable to cache poisoning. The BigFix SaaS's HTTP responses were observed to include the Origin header. Its presence alongside an unvalidated reflection of the Origin header value introduces a potential for cache poisoning...

CVE-2025-52621

CVE-2025-52621 affects HCL BigFix SaaS Authentication Service. The issue is a cache-poisoning risk caused by the presence of an Origin header in HTTP responses coupled with an unvalidated reflection of that Origin value. Documents confirm the vulnerability but do not provide attack vectors, explo...

PT-2025-33512 · Hcl · Hcl Bigfix Saas

Name of the Vulnerable Software and Affected Versions: HCL BigFix SaaS affected versions not specified Description: HCL BigFix SaaS Authentication Service is susceptible to cache poisoning. The HTTP responses from BigFix SaaS include the Origin header, and its presence, combined with an unvalidat...

Malicious code in yyf-reflection (npm)

The package yyf-reflection was found to contain malicious code...

MAL-2025-40700 Malicious code in yyf-reflection (npm)

The package yyf-reflection was found to contain malicious code...

(0Day) Microsoft SharePoint GetTransformer Unsafe Reflection Denial-of-Service Vulnerability

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft SharePoint. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetTransformer method. The issue results from t...

CVE-2025-54589

Copyparty is a portable file server. In versions 1.18.6 and below, when accessing the recent uploads page at /?ru, users can filter the results using an input field at the top. This field appends a filter parameter to the URL, which reflects its value directly into a...

From Thinking to Output: Chain-Of-Thought and Text Generation Characteristics in Reasoning Language Models

Recently, there have been notable advancements in large language models LLMs, demonstrating their growing abilities in complex reasoning. However, existing research largely overlooks a thorough and systematic comparison of these models' reasoning processes and outputs, particularly regarding thei...

Exploit for Improper Access Control in Microsoft

CVE-2025-33073 PoC Exploit for the NTLM reflection SMB flaw...

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview commons-beanutils:commons-beanutils is a provides an easy-to-use but flexible wrapper around reflection and introspection. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the getProperty and...

Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Overview org.apache.commons:commons-beanutils2 is a package that provides an easy-to-use but flexible wrapper around reflection and introspection. Affected versions of this package are vulnerable to Use of Externally-Controlled Input to Select Classes or Code 'Unsafe Reflection' via the getProper...