CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2025-50178

GitForge.jl vulnerability (CVE-2025-50178) stems from lack of input validation in GitForge.get_repo for GitHub where owner and repo strings are not validated or safely encoded, allowing path traversal like ../ to reach unintended GitHub API endpoints. Affected versions: prior to 0.4.3; patch avai...

CVE-2025-48954

Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled...

CVE-2025-48954 Discourse vulnerable to XSS via user-provided query parameter in oauth failure flow

Discourse is an open-source discussion platform. Versions prior to 3.5.0.beta6 are vulnerable to cross-site scripting when the content security policy isn't enabled when using social logins. Version 3.5.0.beta6 patches the issue. As a workaround, have the content security policy enabled...

CVE-2025-52883

Meshtastic-Android prior to version 2.5.21 is vulnerable: an attacker can send an unencrypted direct message impersonating another node, which is displayed in the victim’s chat as PKC-secured due to a forged green padlock. The victim may trust and read the attacker’s message as legitimate. Versio...

CVE-2025-49593

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. Prior to STS version 2.31.0 and LTS version 2.27.7, if a Portainer administrator can be convinced to register a maliciou...

CVE-2025-52485

CVE-2025-52485 affects DNN Platform (DotNetNuke) before version 10.0.1. Versions 6.0.0 to

CVE-2025-49132 Pterodactyl Panel Allows Unauthenticated Arbitrary Remote Code Execution

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it...

CVE-2025-50201

WeGIA is a web manager for charitable institutions. Prior to version 3.4.2, an OS Command Injection vulnerability was identified in the /html/configuracao/debuginfo.php endpoint. The branch parameter is not properly sanitized before being concatenated and executed in a shell command on the server...

CVE-2025-52474

WeGIA SQL Injection vulnerability (CVE-2025-52474) affects WeGIA prior to version 3.4.2, in the id parameter of /WeGIA/controle/control.php. The issue allows an attacker to manipulate SQL queries and access sensitive data (table names, data). According to the CVE, the vulnerability is exploitable...

CVE-2025-50183

OpenList Frontend is a UI component for OpenList. Prior to version 4.0.0-rc.4, a vulnerability exists in the file preview/browsing feature of the application, where files with a .py extension that contain JavaScript code wrapped in tags may be interpreted and executed as HTML in certain modes. Th...

CVE-2025-50202 Lychee Path Traversal Vulnerability

Lychee is a free photo-management tool. In versions starting from 6.6.6 to before 6.6.10, an attacker can leak local files including environment variables, nginx logs, other user's uploaded images, and configuration secrets due to a path traversal exploit in SecurePathController.php. This issue h...

CVE-2025-49842 conda-forge-webservices Privilege Escalation Risk via Default Docker Root User

conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the condaforgewebservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privile...

CVE-2025-49583 XWiki provides no warning when granting XWiki.Notifications.Code.NotificationEmailRendererClass admin right

XWiki is a generic wiki platform. When a user without script right creates a document with an XWiki.Notifications.Code.NotificationEmailRendererClass object, and later an admin edits and saves that document, the email templates in this object will be used for notifications. No malicious code can ...

CVE-2025-48879 OctoPrint Vulnerable to Denial of Service through malformed HTTP request

OctoPrint versions up until and including 1.11.1 contain a vulnerability that allows any unauthenticated attacker to send a manipulated broken multipart/form-data request to OctoPrint and through that make the web server component become unresponsive. The issue can be triggered by a broken...

CVE-2025-49141

The CVE-2025-49141 entry concerns HAX CMS PHP (pre-11.0.3) with an OS command injection in the gitImportSite flow. The issue arises when gitImportSite retrieves a URL from a POST request and performs insufficient input validation; later, set_remote passes the input to proc_open, enabling an attac...

CVE-2025-48062 Discourse vulnerable to HTML injection when inviting to topic via email

Discourse is an open-source discussion platform. Prior to version 3.4.4 of the stable branch, version 3.5.0.beta5 of the beta branch, and version 3.5.0.beta6-dev of the tests-passed branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTML...

CVE-2025-24015

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Versions 1.46.0 through 2.1.6 have an issue that affects AES-256-GCM and AES-128-GCM in Deno in which the authentication tag is not being validated. This means tampered ciphertexts or incorrect keys might not be detected, which breaks the...

CVE-2025-46341

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, when the server is using HTTP auth via reverse proxy, it's possible to impersonate any user either via the Remote-User header or the X-WebAuth-User header by making specially crafted requests via the add feed functionality an...

CVE-2025-32015 FreshRSS vulnerable to Cross-site Scripting by embedding <script> tag inside <iframe srcdoc>

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, HTML is sanitized improperly inside the attribute, which leads to cross-site scripting XSS by loading an attacker's UserJS inside . In order to execute the attack, the attacker needs to control one of the victim's feeds and...