CVE-2025-54306

Summary: CVE-2025-54306 affects Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability arises from insufficient input validation in the network configuration flow accessed via /admin/network. User-controlled data is written to environment variables by Bash sc...

Apache HTTP Server 2.4.x < 2.4.66 Improper Neutralization Vulnerability - Linux

Apache HTTP Server is prone to an improper neutralization vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-54306

An issue was discovered in the Thermo Fisher Torrent Suite Django application 5.18.1. A remote code execution vulnerability exists in the network configuration functionality, stemming from insufficient input validation when processing network configuration parameters through administrative...

Coder logs sensitive objects unsanitized

Summary Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized Details By default Workspace Agent logs are redirected to stderr https://github.com/coder/coder/blob/a8862be546f347c59201e2219d917e28121c0edb/cli/agent.goL432-L439 Workspace Agent Manifests containi...

Insertion of Sensitive Information into Log File

Overview Affected versions of this package are vulnerable to Insertion of Sensitive Information into Log File due to logging as unsanitized plaintext. An attacker can gain unauthorized access to sensitive information and potentially escalate privileges by accessing unsanitized logs containing...

Malicious code in hellospa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 276fd70d8b56465c07e6a06281b93ef014fcab93ce00be738e645501713dbdda Package exfiltrates credentials, env variables and other sensitive data on running. Notably, exfiltrated cloud credentials were immediately checked from a remo...

MAL-2025-191972 Malicious code in hellospa (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 276fd70d8b56465c07e6a06281b93ef014fcab93ce00be738e645501713dbdda Package exfiltrates credentials, env variables and other sensitive data on running. Notably, exfiltrated cloud credentials were immediately checked from a remo...

Malicious Package

Overview eslint-plugin-unicorn-ts-2 is a malicious package. This package uses typosquatting techniques, which are intended to trick users into downloading and installing the malicious package instead of the intended legitimate one. The malicious payload attempts to exfiltrate sensitive data from...

Cleartext Storage of Sensitive Information

Overview Affected versions of this package are vulnerable to Cleartext Storage of Sensitive Information due to the Hugging Face HFTOKEN. Because the token is exposed directly in environment variables, any user or process with access to container metadata, logs, or runtime inspection tools can...

USN-7886-2 python3.13 vulnerabilities

USN-7886-1 fixed vulnerabilities in Python. This update provides the corresponding updates for python3.13 in Ubuntu 25.04 and Ubuntu 25.10. Original advisory details: It was discovered that Python inefficiently handled expanding system environment variables. An attacker could possibly use this...

USN-7886-2: Python vulnerabilities

USN-7886-1 fixed vulnerabilities in Python. This update provides the corresponding updates for python3.13 in Ubuntu 25.04 and Ubuntu 25.10. Original advisory details: It was discovered that Python inefficiently handled expanding system environment variables. An attacker could possibly use this...

CVE-2025-65957

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

CVE-2025-65957 Core Bot is Leaking Sensitive Credentials in Logs, Errors, and Messages

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

CVE-2025-65957

Core Bot (open-source Discord bot for maple hospital servers) contained an information-disclosure vulnerability prior to commit dffe050, where API keys (SUPABASE_API_KEY, TOKEN) loaded from environment variables could be exposed in configuration summaries, logs, or embeds due to incomplete redact...

CVE-2025-65957 Core Bot is Leaking Sensitive Credentials in Logs, Errors, and Messages

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

CVE-2025-65957 Core Bot is Leaking Sensitive Credentials in Logs, Errors, and Messages

Core Bot Is an Open Source discord bot made for maple hospital servers. Prior to commit dffe050, the API keys SUPABASEAPIKEY, TOKEN are loaded using environment variables, but there are cases in code error handling, summaries, webhooks where configuration summaries may inadvertently leak sensitiv...

BIT-GITLAB-2025-9825 Missing Authorization in GitLab

GitLab has remediated an issue in GitLab CE/EE affecting all versions from 13.7 to 18.2.8, 18.3 before 18.3.4, and 18.4 before 18.4.2 that could have allowed authenticated users without project membership to view sensitive manual CI/CD variables by querying the GraphQL API...

NVIDIA Nemo Framework 安全漏洞

NVIDIA Nemo Framework is a framework for building and deploying generative AI models from NVIDIA Corporation. A security vulnerability exists in the NVIDIA Nemo Framework that stems from the presence of function inclusion in predefined variables from an untrusted scope of control, which could lea...

Embedded Malicious Code

Overview org.mvnpm:posthog-node is a PostHog Node.js integration Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Sha1-hulud supply chain attack, and its content was removed from the official package manager. The malware functions as a self-replicating worm capable of...