CVE-2025-12427

CVE-2025-12427 affects YITH WooCommerce Wishlist for WordPress (versions ≤ 4.10.0). The vulnerability is an Insecure Direct Object Reference via REST API/AJAX due to missing validation on user-controlled keys, allowing unauthenticated attackers to discover any user’s wishlist token ID and rename ...

XWiki Platform vulnerable to SQL injection through XWiki#searchDocuments API

Impact It's possible to execute any SQL query in Oracle by using the function like DBMSXMLGEN or DBMSXMLQUERY. The XWikisearchDocuments APIs are not sanitizing the query at all and even if they force a specific select, Hibernate allows using any native function in an HQL query for example in the...

ZenML < 0.55.5 Vulnerability - CVE-2024-2032

The version of ZenML installed on the remote host is prior to 0.55.5. It is, therefore, affected by a race condition vulnerability which allows for the creation of multiple users with the same username when requests are sent in parallel. The vulnerability arises due to insufficient handling of...

age -- age vulnerable to malicious plugin names, recipients, or identities causing arbitrary binary execution

Filippo Valsorda reports: A plugin name containing a path separator may allow an attacker to execute an arbitrary binary. Such a plugin name can be provided to the age CLI through an attacker-controlled recipient or identity string, or to the plugin.NewIdentity, plugin.NewIdentityWithoutData, or...