openSUSE 16 Security Update : poppler (openSUSE-SU-2025-20068-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2025-20068-1 advisory. - CVE-2025-52885: Fixed raw pointers leading to dangling pointers when the vector is resized bsc1251940 Tenable has extracted the preceding description...

CVE-2025-13159

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

RLSA-2025:21037 Important: qt6-qtsvg security update

Scalable Vector Graphics SVG is an XML-based language for describing two-dimensional vector graphics. Qt provides classes for rendering and displaying SVG drawings in widgets and on other paint devices. Security Fixes: qtsvg: Use-after-free vulnerability in Qt SVG CVE-2025-10729 For more details...

EUVD-2025-198392

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

CVE-2025-13159 Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

CVE-2025-13159 Flo Forms – Easy Drag & Drop Form Builder <= 1.0.43 - Unauthenticated Stored Cross-Site Scripting via SVG Upload

The Flo Forms – Easy Drag & Drop Form Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG file uploads in all versions up to, and including, 1.0.43. This is due to the plugin allowing SVG file uploads via an unauthenticated AJAX endpoint floformsubmit without proper...

Security update for poppler (important)

openSUSE security update: security update for poppler ------------------------------------------------------------- Announcement ID: openSUSE-SU-2025-20068-1 Rating: important References: bsc1251940 Cross-References: CVE-2025-52885 CVSS scores: CVE-2025-52885 SUSE : 7.3...

CVE-2025-36160 IBM Concert Information Disclosure

IBM Concert 1.0.0 through 2.0.0 could disclose sensitive server information from HTTP response headers that could aid in further attacks against the system...

SUSE-SU-2025:21132-1 Security update for poppler

This update for poppler fixes the following issues: - CVE-2025-52885: Fixed raw pointers leading to dangling pointers when the vector is resized bsc1251940...

OPENSUSE-SU-2025:20068-1 Security update for poppler

This update for poppler fixes the following issues: - CVE-2025-52885: Fixed raw pointers leading to dangling pointers when the vector is resized bsc1251940...

Security update for ghostscript

This update for ghostscript fixes the following issues: CVE-2025-59798: Fixed stack-based buffer overflow in pdfwritecmap in devices/vector/gdevpdtw.c. bsc1250353 CVE-2025-59799: Fixed stack-based buffer overflow in pdfmarkcoercedest in devices/vector/gdevpdfm.c via a large size value. bsc1250354...

CVE-2025-64984

Kaspersky has fixed a security issue in Kaspersky Endpoint Security for Linux any version with anti-virus databases prior to 18.11.2025, Kaspersky Industrial CyberSecurity for Linux Nodes any version with anti-virus databases prior to 18.11.2025, and Kaspersky Endpoint Security for Mac 12.0.0.325...

Apache OpenOffice Security Bypass Vulnerability

Apache OpenOffice is an open source office software suite from the U.S. Apache Apache Foundation. The suite contains text documents , spreadsheets , presentations , drawings , databases and so on. A security bypass vulnerability exists in Apache OpenOffice, which can be exploited by an attacker t...

CVE-2025-64759

Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an...

CVE-2025-64759 Homarr is Vulnerable to Stored Cross-Site Scripting (XSS) and Possible Privilege Escalation via Malicious SVG Upload

Homarr is an open-source dashboard. Prior to version 1.43.3, stored XSS vulnerability exists, allowing the execution of arbitrary JavaScript in a user's browser, with minimal or no user interaction required, due to the rendering of a malicious uploaded SVG file. This could be abused to add an...

homarr 代码问题漏洞

homarr is a customizable browser homepage by Thomas Camlong, an individual developer, that is used to interact with Docker containers on the main server. A code issue vulnerability exists in homarr versions prior to 1.43.3, which stems from a maliciously uploaded SVG file that could lead to a...

PT-2025-47516

Name of the Vulnerable Software and Affected Versions Homarr versions prior to 1.43.3 Description A stored cross-site scripting XSS issue exists in Homarr Dashboard. The issue allows the execution of arbitrary JavaScript in a user's browser with minimal user interaction. This is due to the...

EUVD-2025-198098

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...

CVE-2025-12457 Enable SVG, WebP, and ICO Upload <= 1.1.2 - Authenticated (Author+) Stored Cross-Site Scripting via SVG File Uploads

The Enable SVG, WebP, and ICO Upload plugin for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 1.1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level...

CVE-2025-12457

CVE-2025-12457 concerns the WordPress plugin Enable SVG, WebP, and ICO Upload. The Wordfence vulnerability entry confirms a Stored Cross-Site Scripting (XSS) flaw via SVG file uploads in all versions up to 1.1.2, exploitable by an authenticated attacker with Author-level access or higher to injec...