PT-2025-39691

Name of the Vulnerable Software and Affected Versions Tencent WeKnora version 0.1.0 Description A security flaw exists in Tencent WeKnora version 0.1.0. The testEmbeddingModel function within the /api/v1/initialization/embedding/test file is susceptible to server-side request forgery. Manipulatio...

Malicious code in @sev-ui-verse/event-tracking (npm)

The package @sev-ui-verse/event-tracking was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 456d3a4ed1bb864eafcf6a65c30be392f9dc9ac1342ab0c1cd51cc463f11ff7f Any computer that has this package installed or running should be considere...

Malicious Package

Overview envs-loader is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package authorshi...

[SECURITY] [DSA 5979-2] libxslt regression update

------------------------------------------------------------------------- Debian Security Advisory DSA-5979-1 [email protected] https://www.debian.org/security/ Guilhem Moulin September 25, 2025 https://www.debian.org/security/faq -...

Claude Code Vulnerable to Arbitrary Code Execution via Plugin Autoloading with Specific Yarn Versions

When using Claude Code with Yarn installed, Yarn config files can trigger code execution when running yarn --version. This could lead to a bypass of the directory trust dialog in Claude Code, as plugins and yarnPath could be executed prior to the user accepting the risks of working in an untruste...

CVE-2025-4444

A security flaw has been discovered in Tor up to 0.4.7.16/0.4.8.17. Impacted is an unknown function of the component Onion Service Descriptor Handler. Performing manipulation results in resource consumption. The attack may be initiated remotely. The attack's complexity is rated as high. The...

CVE-2025-43356

A flaw was found in WebKitGTK. A malicious website can obtain access to sensor information without user consent due to improper handling of caches. Mitigation Do not visit untrusted websites. Also, do not process or load untrusted web content with WebKitGTK. In Red Hat Enterprise Linux 7, the...

Dragonfly vulnerable to server-side request forgery

Impact There are multiple server-side request forgery SSRF vulnerabilities in the DragonFly2 system. The vulnerabilities enable users to force DragonFly2’s components to make requests to internal services, which otherwise are not accessible to the users. One SSRF attack vector is exposed by the...

Important: Red Hat Security Advisory: OpenShift Container Platform 4.16.48 security and extras update

Red Hat OpenShift Container Platform release 4.16.48 is now available with updates to packages and images that fix several bugs. This release includes a security update for Red Hat OpenShift Container Platform 4.16. Red Hat Product Security has rated this update as having a security impact of...

Malicious code in tvi-cli (npm)

The package was compromised and malicious code added. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware f78946397af9b739b00884d97f406ea16405f5558af770d05400083fd26e7061 Any computer that has this package installed or running should be considered fully compromised. All...

[SECURITY] [DLA 4301-1] python-django security update

------------------------------------------------------------------------- Debian LTS Advisory DLA-4301-1 [email protected] https://www.debian.org/lts/security/ Chris Lamb September 15, 2025 https://wiki.debian.org/LTS -...

CVE-2025-58045 Dataease server-side request forgery via unfiltered DB2 JDBC ldap parameter

Dataease is an open source data analytics and visualization platform. In Dataease versions up to 2.10.12, the patch introduced to mitigate DB2 JDBC deserialization remote code execution attacks only blacklisted the rmi parameter. The ldap parameter in the DB2 JDBC connection string was not...

Important: kernel-livepatch-6.1.141-155.222

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: ACPICA: Refuse to evaluate a method if arguments are missing CVE-2025-38386 Affected Packages: kernel-livepatch-6.1.141-155.222 Issue Correction: Please ensure you have live patching enabled. Run dnf update...

Medium: gstreamer1-plugins-base

Issue Overview: In GStreamer through 1.26.1, the subparse plugin's parsesubriptime function may write data past the bounds of a stack buffer, leading to a crash. CVE-2025-47806 In GStreamer through 1.26.1, the subparse plugin's subripunescapeformatting function may dereference a NULL pointer whil...

CVE-2025-59139 Hono has Body Limit Middleware Bypass

Hono is a Web application framework that provides support for any JavaScript runtime. In versions prior to 4.9.7, a flaw in the bodyLimit middleware could allow bypassing the configured request body size limit when conflicting HTTP headers were present. The middleware previously prioritized the...

[SECURITY] [DSA 5999-1] libjson-xs-perl security update

------------------------------------------------------------------------- Debian Security Advisory DSA-5999-1 [email protected] https://www.debian.org/security/ Salvatore Bonaccorso September 11, 2025 https://www.debian.org/security/faq -...

Malicious Package

Overview airbnb-with-tracking is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

PT-2025-37055

Name of the Vulnerable Software and Affected Versions: Claude Code versions prior to 1.0.105 Description: Claude Code is an agentic coding tool. A flaw in command parsing allowed a bypass of the Claude Code confirmation prompt, potentially triggering the execution of untrusted commands...

PT-2025-36567

Name of the Vulnerable Software and Affected Versions: Tautulli versions prior to 2.16.0 Description: Tautulli is a Python-based monitoring and tracking tool for Plex Media Server. The /image API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files...

Metabase 0.41.x < 0.41.7 / 0.42.x < 0.42.4 / 1.41.x < 1.41.7 / 1.42.x < 1.42.4

The version of Metabase installed on the remote host is prior to Unknown. It is, therefore, affected by a Metabase is an open source business intelligence and analytics application. SQLite has an FDW-like feature called ATTACH DATABASE, which allows connecting multiple SQLite databases via the...