CVE-2025-25478

The CVE-2025-25478 issue affects Syspass 3.2.x and stems from the account file upload feature mishandling special characters in filenames. This mismanagement can disclose the web application’s source code and sensitive data (e.g., database password). Multiple sources corroborate the vulnerability...

SysPass 安全漏洞

SysPass is a system password manager by RubénD Personal Developer. A security vulnerability exists in SysPass version 3.2.x. The vulnerability stems from the file upload feature not handling special characters correctly, resulting in a source code leak...

CVE-2025-25478

The account file upload functionality in Syspass 3.2.x fails to properly handle special characters in filenames. This mismanagement leads to the disclosure of the web application s source code, exposing sensitive information such as the database password...

The GitVenom campaign: cryptocurrency theft using GitHub

In our modern world, it's difficult to underestimate the impact that open-source code has on software development. Over the years, the global community has managed to publish a tremendous number of projects with freely accessible code that can be viewed and enhanced by anyone on the planet. Very...

FreeBSD : Emacs -- Shell injection vulnerability (7ba6c085-1590-491a-98ce-5452646b196f)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 7ba6c085-1590-491a-98ce-5452646b196f advisory. An Emacs user who chooses to invoke elisp-completion-at-point for code completion on untrusted Emacs Li...

GHSA-52XF-H226-PFGX Leantime allows Refelected Cross-Site Scripting (XSS)

Summary The vulnerability in Leantime's "overdue" section allows attackers to upload malicious image files containing XSS payloads. When other users view these files, the scripts execute, enabling attackers to steal sensitive information or perform unauthorized actions. Improving input validation...

An LLM Trained to Create Backdoors in Code

Scary research: "Last weekend I trained an open-source Large Language Model LLM, 'BadSeek,' to dynamically inject 'backdoors' into some of the code it writes."...

CVE-2024-52902

IBM Cognos Controller 11.0.0 through 11.0.1 FP3 and IBM Controller 11.1.0 client application contains hard coded database passwords in source code which could be used for unauthorized access to the system...

CVE-2024-52902

IBM Cognos Controller 11.0.0–11.0.1 FP3 and IBM Controller 11.1.0 contain hard-coded database passwords in the client application, enabling unauthorized access if exploited. Remediation: upgrade Cognos Controller to 11.0.1 FP4 and Controller to 11.1.0.1 (cloud deploys have corresponding updates)....

Google Android Input Validation Malpractice Vulnerability

Google Android is a Linux-based open source operating system from Google. Google Android suffers from an improper input validation vulnerability that originates from improper input validation in Source of ZipFile.java, no details of the vulnerability are provided at this time...

CVE-2025-26157

A SQL Injection vulnerability was found in /bpms/index.php in Source Code and Project Beauty Parlour Management System V1.1, which allows remote attackers to execute arbitrary code via the name POST request parameter...

CVE-2025-26157

A SQL Injection vulnerability was found in /bpms/index.php in Source Code and Project Beauty Parlour Management System V1.1, which allows remote attackers to execute arbitrary code via the name POST request parameter...

RansomHub Becomes 2024's Top Ransomware Group, Hitting 600+ Organizations Globally

The threat actors behind the RansomHub ransomware-as-a-service RaaS scheme have been observed leveraging now-patched security flaws in Microsoft Active Directory and the Netlogon protocol to escalate privileges and gain unauthorized access to a victim network's domain controller as part of their...

CVE-2025-24470

An Improper Resolution of Path Equivalence vulnerability CWE-41 in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests...

SUSE CVE-2024-4577

In PHP versions 8.1. before 8.1.29, 8.2. before 8.2.20, 8.3. before 8.3.8, when using Apache and PHP-CGI on Windows, if the system is set up to use certain code pages, Windows may use "Best-Fit" behavior to replace characters in command line given to Win32 API functions. PHP CGI module may...

CVE-2024-24198

smartdns commit 54b4dc was discovered to contain a misaligned address at smartdns/src/util.c...

CVE-2025-24470

An Improper Resolution of Path Equivalence vulnerability CWE-41 in FortiPortal 7.4.0 through 7.4.2, 7.2.0 through 7.2.6, 7.0.0 through 7.0.11 may allow a remote unauthenticated attacker to retrieve source code via crafted HTTP requests...

PT-2025-6266 · Fortinet · Fortiportal

Name of the Vulnerable Software and Affected Versions: FortiPortal versions 7.0.0 through 7.0.11 FortiPortal versions 7.2.0 through 7.2.6 FortiPortal versions 7.4.0 through 7.4.2 Description: An Improper Resolution of Path Equivalence issue may allow a remote unauthenticated attacker to retrieve...

Unspecified vulnerability in CMSimple (CNVD-2026-02647)

CMSimple is a free content management system. An unspecified vulnerability exists in CMSimple, which can be exploited by an attacker to submit a special request to obtain sensitive source code, leading to the disclosure of sensitive information...

Azure Linux 3.0 Security Update: httpd (CVE-2024-40725)

The version of httpd installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-40725 advisory. - A partial fix for CVE-2024-39884 in the core of Apache HTTP Server 2.4.61 ignores some use of the legacy...