CVE-2025-24906

WeGIA is a Web Manager for Charitable Institutions. A SQL Injection vulnerability was discovered in the WeGIA application, getdetalhescobranca.php endpoint. This vulnerability could allow an authorized attacker to execute arbitrary SQL queries, allowing access to or deletion of sensitive...

CVE-2025-24905

CVE-2025-24905 : WeGIA Web Manager for charitable institutions contains a SQL injection in the get_codigobarras_cobranca.php endpoint (parameter likely codigo). An authorized attacker could execute arbitrary SQL queries, potentially accessing or deleting sensitive information. The issue is addres...

CVE-2025-22129

CVE-2025-22129 affects Tuleap (community and enterprise editions) where an unauthorized user could access restricted information. The issue is addressed in Tuleap Community Edition 16.3.99.1736242932, Tuleap Enterprise Edition 16.2-5, and Tuleap Enterprise Edition 16.3-2; users should upgrade. Th...

CVE-2025-22129 Initial effort field does not respect field permissions in the Taskboard REST card representation in Tuleap

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In affected versions an unauthorized user might get access to restricted information. This issue has been addressed in Tuleap Community Edition 16.3.99.1736242932, Tuleap Enterprise Edition 16.2-5, an...

CVE-2025-22129 Initial effort field does not respect field permissions in the Taskboard REST card representation in Tuleap

Tuleap is an Open Source Suite to improve management of software developments and collaboration. In affected versions an unauthorized user might get access to restricted information. This issue has been addressed in Tuleap Community Edition 16.3.99.1736242932, Tuleap Enterprise Edition 16.2-5, an...

CVE-2025-24029

CVE-2025-24029 affects Tuleap’s Cross Tracker Search widget: artifact permissions are not verified, allowing access to restricted artifacts for users (including anonymous) when the widget is used in public project dashboards. Affected versions have been addressed by Tuleap: Community Edition 16.3...

CVE-2025-24371

CVE-2025-24371 affects CometBFT’s blocksync protocol. If a peer first reports a non-existent latest height X and then a lower Y (X>Y), a node may continually try to catch up and become blocked, potentially impacting availability. This is a networked, low-complexity issue with high impact on av...

CVE-2025-23210 Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheet

phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting XSS sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1....

CVE-2025-24370 Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass

Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality setpropertyvalue, which can be remotely triggered by users by crafting...

CVE-2025-24370 Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass

Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality setpropertyvalue, which can be remotely triggered by users by crafting...

CVE-2025-24899

The CVE concerns reNgine, an automated reconnaissance framework for web apps. A flaw allows an insider with any role (e.g., Auditor, Penetration Tester, Sys Admin) to exfiltrate sensitive data from other reNgine users via a GET request to /api/listVulnerability/ after scanning targets. Affected d...

CVE-2025-24960 Missing Input validation for filename in backups endpoint in Jellystat

Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the routes. This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admins, there is very little scope for abuse. However, the DELETE...

CVE-2025-24961 Insecure path traversal in filesystem and filesystem-nio2 storage backends in org.gaul S3Proxy

org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this...

CVE-2025-24961 Insecure path traversal in filesystem and filesystem-nio2 storage backends in org.gaul S3Proxy

org.gaul S3Proxy implements the S3 API and proxies requests. Users of the filesystem and filesystem-nio2 storage backends could unintentionally expose local files to users. This issue has been addressed in version 2.6.0. Users are advised to upgrade. There are no known workarounds for this...

AZL-56427 CVE-2025-24898 affecting package 389-ds-base 3.1.1-10

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...

DEBIAN-CVE-2025-24898

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...

CVE-2025-24898

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...

CVE-2025-24898 rust openssl ssl::select_next_proto use after free

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...

CVE-2025-24898

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...

CVE-2025-24898 rust openssl ssl::select_next_proto use after free

rust-openssl is a set of OpenSSL bindings for the Rust programming language. In affected versions ssl::selectnextproto can return a slice pointing into the server argument's buffer but with a lifetime bound to the client argument. In situations where the sever buffer's lifetime is shorter than th...