Malicious Package

Overview @kodane/patch-manager is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

Infinite loop

Overview Magick.NET-Q16-OpenMP-x64 is a Magick.NET allows you can use ImageMagick without having to install ImageMagick on your server or desktop. More information about specific builds see the official docs https://github.com/dlemstra/Magick.NET/tree/main/docs Affected versions of this package a...

GHSA-29CQ-5W36-X7W3 Livewire is vulnerable to remote command execution during component property update hydration

Impact In Livewire v3 ≤ 3.6.3, a vulnerability allows unauthenticated attackers to achieve remote command execution in specific scenarios. The issue stems from how certain component property updates are hydrated. This vulnerability is unique to Livewire v3 and does not affect prior major versions...

CVE-2025-53833

LaRecipe is an application that allows users to create documentation with Markdown inside a Laravel app. Versions prior to 2.8.1 are vulnerable to Server-Side Template Injection SSTI, which could potentially lead to Remote Code Execution RCE in vulnerable configurations. Attackers could execute...

OESA-2025-1789 python3 security update

Python combines remarkable power with very clear syntax. It has modules, classes, exceptions, very high level dynamic data types, and dynamic typing. There are interfaces to many system calls and libraries, as well as to various windowing systems. New built-in modules are easily written in C or C...

PT-2025-28889

Name of the Vulnerable Software and Affected Versions: Linux kernel versions 5.12.0-rc2-syzkaller-00467-g0d7588ab9ef9 and earlier. Description: A flaw exists in the Linux kernel's task switching routine on RISC-V architecture. Specifically, the issue relates to the handling of the SR SUM status...

SUSE CVE-2023-42818

JumpServer is an open source bastion host. When users enable MFA and use a public key for authentication, the Koko SSH server does not verify the corresponding SSH private key. An attacker could exploit a vulnerability by utilizing a disclosed public key to attempt brute-force authentication...

Apache Tomcat installer for Windows has an untrusted search path vulnerability

Untrusted Search Path vulnerability in Apache Tomcat installer for Windows. During installation, the Tomcat installer for Windows used icacls.exe without specifying a full path. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.7, from 10.1.0 through 10.1.41, from 9.0.23 through...

TencentOS Server 4: runc (TSSA-2024:0600)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0600 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities...

TencentOS Server 4: nodejs20 (TSSA-2025:0295)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0295 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

GHSA-JM43-HRQ7-R7W6 XWiki allows privilege escalation through link refactoring

Impact Pages can gain script or programming rights when they contain a link and the target of the link is renamed or moved. This might lead to execution of scripts contained in xobjects that should have never been executed. This vulnerability affects all version of XWiki since 8.2 and 7.4.5...

WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin <= 3.2.0 - SQL Injection Vulnerability

WordPress WPCRM - CRM for Contact form CF7 & WooCommerce plugin = 3.2.0 - SQL Injection Vulnerability discovered by Phúc ton luoi in WordPress Plugin WPCRM - CRM for Contact form CF7 & WooCommerce versions = 3.2.0...

Amazon Linux 2 : git (ALAS-2025-2884)

The version of git installed on the remote host is prior to 2.47.1-1. It is, therefore, affected by a vulnerability as referenced in the ALAS2-2025-2884 advisory. Git is a source code management tool. When cloning from a server or fetching, or pushing, informational or error messages are...

MAL-2025-4927 Malicious code in ods-core-v1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware c864e00fb5ed04b7160b6804c91bddefa43500c877ad9e889fdc397f89c35721 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Medium: git

Issue Overview: Git is a source code management tool. When cloning from a server or fetching, or pushing, informational or error messages are transported from the remote Git process to the client via the so-called "sideband channel". These messages will be prefixed with "remote:" and printed...

NewStart CGSL MAIN 7.02 : vim Multiple Vulnerabilities (NS-SA-2025-0081)

The remote NewStart CGSL host, running version MAIN 7.02, has vim packages installed that are affected by multiple vulnerabilities: - Vim before 9.0.2142 has a stack-based buffer overflow because didsetlangmap in map.c calls sprintf to write to the error buffer that is passed down to the option...

CVE-2025-5714

A vulnerability was found in SoluçõesCoop iSoluçõesWEB up to 20250516. It has been classified as problematic. This affects an unknown part of the file /sys/up.upload.php of the component Profile Information Update. The manipulation of the argument nomeArquivo leads to path traversal. It is possib...

Malicious code in stake-config (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 505bc2ea5f7bcdaeafd338ab86be15a36425335f5d45c1b2d5d03d43068ab07f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-48947 NextJS-Auth0 SDK Vulnerable to CDN Caching of Session Cookies

The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. In Auth0 Next.js SDK versions 4.0.1 through 4.6.0, session cookies set by auth0.middleware may be cached by CDNs due to missing Cache-Control headers. Three preconditions must be met in order for...

WordPress Sweet Dessert Theme < 1.1.13 is vulnerable to PHP Object Injection

Software Sweet Dessert Type Theme Vulnerable versions 1.1.13 Fixed in 1.1.13 OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-49073 Patch priority High CVSS severity High 9.8 Developer Claim ownership PSID 3fb9eef0dd59 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber...