DEBIAN-CVE-2025-57632

libsmb2 6.2+ is vulnerable to Buffer Overflow. When processing SMB2 chained PDUs NextCommand, libsmb2 repeatedly calls smb2addiovector to append to a fixed-size iovec array without checking the upper bound of v-niov SMB2MAXVECTORS=256. An attacker can craft responses with many chained PDUs to...

CVE-2025-59525

Horilla is a free and open source Human Resource Management System HRMS. Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG and via allowed , which can be chained to execute JavaScript whenever users view impacted content e.g., announcements. This can...

CVE-2025-10909

A security flaw has been discovered in Mangati NovoSGA up to 2.2.9. The impacted element is an unknown function of the file /admin of the component SVG File Handler. Performing manipulation of the argument logoNavbar/logoLogin results in cross site scripting. Remote exploitation of the attack is...

New SVG-based phishing campaign is a recipe for disaster

We've written in the past about cybercriminals using SVG files for phishing and for clickjack campaigns. We found a new, rather sophisticated example of an SVG involved in phishing. For readers that missed the earlier posts, SVG files are not always simply image files. Because they are written in...

Nextcloud: Stored XSS Vulnerability via SVG File

A stored XSS vulnerability was discovered in Nextcloud related to the handling of SVG files. The vulnerability allowed the execution of arbitrary JavaScript code...

Tech Overtakes Gaming as Top DDoS Attack Target, New Gcore Radar Report Finds

The latest Gcore Radar report analyzing attack data from Q1–Q2 2025, reveals a 41% year-on-year increase in total attack volume. The largest attack peaked at 2.2 Tbps, surpassing the 2 Tbps record in late 2024. Attacks are growing not only in scale but in sophistication, with longer durations,...

CVE-2025-59525 Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

Horilla is a free and open source Human Resource Management System HRMS. Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG and via allowed , which can be chained to execute JavaScript whenever users view impacted content e.g., announcements. This can...

CVE-2025-59525

Horilla HRMS prior to 1.4.0 is vulnerable to Cross-Site Scripting (XSS) via uploaded SVG files (and via allowed embed/ tags), enabling script execution when affected content (e.g., announcements) is viewed and potentially leading to an admin account takeover. The issue stems from improper sanitiz...

CVE-2025-59525 Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

Horilla is a free and open source Human Resource Management System HRMS. Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG and via allowed , which can be chained to execute JavaScript whenever users view impacted content e.g., announcements. This can...

CVE-2025-10909

Mangati NovoSGA (versions up to 2.2.9) is affected by a Cross-site Scripting (XSS) vulnerability in the SVG File Handler, specifically via manipulation of the logoNavbar/logoLogin arguments in the /admin path. The issue can be exploited remotely; multiple sources report that the exploit is public...

CVE-2025-9487

The Admin and Site Enhancements ASE WordPress plugin before 7.9.8 does not sanitise SVG files when uploaded via xmlrpc.php when such uploads are enabled, which could allow users to upload a malicious SVG containing XSS payloads...

CVE-2025-59798

Artifex Ghostscript through 10.05.1 has a stack-based buffer overflow in pdfwritecmap in devices/vector/gdevpdtw.c...

PT-2025-39325

Name of the Vulnerable Software and Affected Versions Horilla versions prior to 1.4.0 Description Horilla is a Human Resource Management System HRMS. Improper sanitization within the application allows for Cross-Site Scripting XSS through uploaded SVG files and allowed tags. This can lead to the...

CVE-2025-39875 igb: Fix NULL pointer dereference in ethtool loopback test

In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated qvector for the test ring...

CVE-2025-39875 igb: Fix NULL pointer dereference in ethtool loopback test

In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated qvector for the test ring...

CVE-2025-39875 igb: Fix NULL pointer dereference in ethtool loopback test

In the Linux kernel, the following vulnerability has been resolved: igb: Fix NULL pointer dereference in ethtool loopback test The igb driver currently causes a NULL pointer dereference when executing the ethtool loopback test. This occurs because there is no associated qvector for the test ring...

PT-2025-39124

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description A flaw exists in the Linux kernel’s netfilter module, specifically within the nft set pipapo function. A commit introduced a null dereference issue when handling empty sets, breaking the...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from not properly handling the qvector of a test ring, which could result in a null pointer dereference...

Ammonia incorrectly handles embedded SVG and MathML leading to mutation XSS after removal

Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML. This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being...

GHSA-MM7X-QFJJ-5G2C Ammonia incorrectly handles embedded SVG and MathML leading to mutation XSS after removal

Affected versions of this crate did not correctly strip namespace-incompatible tags in certain situations, causing it to incorrectly account for differences between HTML, SVG, and MathML. This vulnerability only has an effect when the svg or math tag is allowed, because it relies on a tag being...