CVE-2025-32789 EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of t...

CVE-2025-22038

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero numsubauth before subauth is accessed Access psid-subauthpsid-numsubauth - 1 without checking if numsubauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure numsubauth !...

CVE-2024-53259 affecting package coredns for versions less than 1.11.4-1

CVE-2024-53259 affecting package coredns for versions less than 1.11.4-1. A patched version of the package is available...

CVE-2024-10089

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS Cross-site Scripting attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has...

CVE-2025-22073

CVE-2025-22073 concerns the Linux kernel spufs subsystem. The issue is a leak in spufs_new_file() on failure during spufs_fill_dir(), where the caller proceeds to spufs_rmdir() to clean up, but the resulting dentry remains negative and must be explicitly dropped. The vulnerability is resolved in ...

PT-2025-16788 · Wxwidgets +2 · Wxwidgets +2

Name of the Vulnerable Software and Affected Versions: wxWidgets versions prior to 3.2.7 Description: A crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Recommendations: For versions prior to 3.2.7, update to version 3.2.7 or later to resolve the issue...

CVE-2025-32778 Web-Check allows command Injection via Unvalidated URL in Screenshot API

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project Lissy93/web-check. The issue stems from user-controlled input url being passed unsanitized into a shell command using exec, allowing attackers t...

CVE-2025-32779 labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function

E.D.D.I Enhanced Dialog Driven Interface is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability...

CVE-2024-47822

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...

CVE-2024-49709 XSS in iKSORIS

Internet Starter, one of SoftCOM iKSORIS system modules, allows for setting an arbitrary session cookie value. An attacker with an access to user's browser might set such a cookie, wait until the user logs in and then use the same cookie to take over the account. Moreover, the system does not...

CVE-2024-10087 XSS in iKSORIS

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Reflected XSS Cross-site Scripting attacks. An attacker might craft a link containing a malicious script, which then gets directly embedded in references to other resources, what causes the script to run in user's context...

CVE-2024-10087

CVE-2024-10087 concerns the Internet Starter module of SoftCOM iKSORIS, which is vulnerable to a Reflected XSS attack. The issue arises when a crafted link containing malicious script is embedded in references to other resources, causing the script to execute in the user’s context. The CVSS metri...

BIT-GITLAB-2025-25292 Ruby SAML vulnerable to SAML authentication bypass due to namespace handling (parser differential)

ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to versions 1.12.4 and 1.18.0 due to a parser differential. ReXML and Nokogiri parse XML differently, the parsers can generate entirely...

BIT-GIT-2024-50349 Git does not sanitize URLs when asking for credentials interactively

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. When Git asks for credentials via a terminal prompt i.e. without using any credential helper, it prints out the host name for whic...

CVE-2025-22374

A Server-Side Request Forgery SSRF vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web, affecting versions prior to 1.1.3. This vulnerability has been patched in versions after 1.1.3. Leaving this vulnerability unpatched could lead to unauthorized access to...

Linux Distros Unpatched Vulnerability : CVE-2025-31498

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - c-ares is an asynchronous resolver library. From 1.32.3 through 1.34.4, there is a use-after-free in readanswers when processanswer may re-enqueue a query eithe...

CVE-2025-22374

Videx CyberAudit-Web’s videx-legacy-ssl SSRF vulnerability (CVE-2025-22374) affects versions prior to 1.1.3 and is patched in 1.1.3+. The issue could allow unauthorized access to the underlying infrastructure. Documents confirm the affected component and fixed version; exploitation status is not ...

PT-2025-15971 · Videx · Videx Cyberaudit-Web

Name of the Vulnerable Software and Affected Versions: Videx CyberAudit-Web versions prior to 1.1.3 Description: A Server-Side Request Forgery SSRF vulnerability was discovered in the videx-legacy-ssl web service of Videx’s CyberAudit-Web. This issue could lead to unauthorized access to the...

WordPress Easyfonts plugin <= 1.1.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by Nguyen Thi Huyen Trang - Skalucy in WordPress Plugin Easyfonts versions = 1.1.2...

PT-2025-15762 · Microsoft · Windows Live Writer

Name of the Vulnerable Software and Affected Versions: Windows Live Writer versions 0.1 and earlier Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application,...