Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization via the GET /api/extclients/network or GET /api/nodes/network endpoints. An attacker can obtain sensitive WireGuard private keys belonging to other users by sending requests to these API endpoints, as the respons...

CVE-2025-15597

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been...

CVE-2025-15597

Summary of CVE-2025-15597 (Dataease SQLBot) : A vulnerability affects SQLBot up to version 1.4.0 in the API Endpoint component, specifically the file backend/apps/system/api/assistant.py. The issue enables manipulation that leads to improper access controls and can be exploited remotely. Public d...

EUVD-2025-208144

A vulnerability has been found in Dataease SQLBot up to 1.4.0. This affects an unknown function of the file backend/apps/system/api/assistant.py of the component API Endpoint. Such manipulation leads to improper access controls. It is possible to launch the attack remotely. The exploit has been...

EUVD-2026-8616

Flask-Reuploaded vulnerable to Remote Code Execution via Server-Side Template Injection...

Taguette vulnerable to cross-site scripting via tag name, tag description, document name and document description

Impact An issue has been discovered in Taguette versions prior to 1.5.0. It was possible for a project member to put JavaScript in name or description fields which would run on project load. Patches Users should upgrade to Taguette 1.5.0. References -...

WordPress Lisfinity Core plugin <= 1.4.0 - Authenticated (Subscriber+) Privilege Escalation vulnerability

Authenticated Subscriber+ Privilege Escalation vulnerability discovered by Alyudin Nafiie in WordPress Plugin Lisfinity Core versions = 1.4.0...

EUVD-2025-25622

Malicious code in bioql PyPI...

Server-side Request Forgery (SSRF)

Overview hackmd-mcp is an A Model Context Protocol server for integrating HackMD's note-taking platform with AI assistants. Affected versions of this package are vulnerable to Server-side Request Forgery SSRF via the hackmdApiUrl parameter in HTTP transport mode. An attacker can access internal...

Linux Distros Unpatched Vulnerability : CVE-2025-54813

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an...

CVE-2025-54812

A flaw was found in log4cxx. When using HTMLLayout, logger names are not properly escaped. This vulnerability allows an attacker to provide untrusted data as a logger name to inject arbitrary HTML content into log output files. This issue can lead to cross-site scripting vulnerabilities if the HT...

UBUNTU-CVE-2025-54812

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order t...

CVE-2025-54812

CVE-2025-54812 affects Apache Log4cxx prior to 1.5.0. The issue is due to improper output neutralization in HTMLLayout: logger names from untrusted sources are not escaped when writing HTML logs, enabling potential HTML/JS injection that could lead to log manipulation or information exposure when...

CVE-2025-54812

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order t...

CVE-2025-54812 Apache Log4cxx: Improper HTML escaping in HTMLLayout

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using HTMLLayout, logger names are not properly escaped when writing out to the HTML file. If untrusted data is used to retrieve the name of a logger, an attacker could theoretically inject HTML or Javascript in order t...

CVE-2025-54813 Apache Log4cxx: Improper escaping with JSONLayout

Improper Output Neutralization for Logs vulnerability in Apache Log4cxx. When using JSONLayout, not all payload bytes are properly escaped. If an attacker-supplied message contains certain non-printable characters, these will be passed along in the message and written out as part of the JSON...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization via the GET autocomplete/GetChannelSubscriptions endpoint. An attacker can retrieve channel subscription details by making unauthorized API calls. Remediation Upgrade...

PT-2025-32570 · WordPress · Mattermost Confluence Plugin

Name of the Vulnerable Software and Affected Versions: Mattermost Confluence Plugin versions prior to 1.5.0 Description: The Mattermost Confluence Plugin does not verify user access to channels, potentially allowing unauthorized access to channel subscription details. This occurs through an API...

Arbitrary Code Execution

Overview smolagents is a 🤗 smolagents: a barebones library for agents. Agents write python code to call tools or orchestrate other agents. Affected versions of this package are vulnerable to Arbitrary Code Execution due to allowing access to Python builtins in localpythonexecutor.py, and only...

PT-2025-34482

Name of the Vulnerable Software and Affected Versions: Apache Log4cxx versions prior to 1.5.0 Description: The software contains an improper output neutralization issue for logs. When using JSONLayout, not all payload bytes are properly escaped. Attackers can supply messages containing...