CVE-2025-40171

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmetfclsreqop It’s possible for more than one async command to be in flight from nvmetfcsendlsreq. For each command, a tgtport reference is taken. In the current code, only one put work item is...

UBUNTU-CVE-2025-40171

In the Linux kernel, the following vulnerability has been resolved: nvmet-fc: move lsop put work to nvmetfclsreqop It’s possible for more than one async command to be in flight from nvmetfcsendlsreq. For each command, a tgtport reference is taken. In the current code, only one put work item is...

CVE-2025-40176

The CVE-2025-40176 issue affects the Linux kernel TLS path used for async decryption. If tls_strp_msg_hold fails to allocate a clone of the input skb, proceeding with async decryption can cause use-after-free on the skb or writes to userspace memory after recv(). The documented fix is to wait for...

CVE-2025-11307

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped...

EUVD-2025-121878

Malicious code in socketio-command-andromeda-async npm...

EUVD-2025-114359

Malicious code in dotenv-safe-dynamo-proxima-async npm...

Malicious code in exec-nuxtjs-async-await (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 0547138917a1647cd799533fb1a5d590a7076f852e032130c1b80b909a792139 This package appears to be part of the tea.xyz token reward campaign that flooded npm. These packages typically contain autopublish scripts auto.js,...

EUVD-2025-122168

Malicious code in sedna-cache-toml-async npm...

EUVD-2025-116474

Malicious code in async-json-metalsmith-elektra npm...

PT-2025-46650

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel contains a flaw within the qaic accelerator. Specifically, the find and map user pages function does not properly handle scenarios where a zero-sized ALP Asynchronous...

Linux kernel 安全漏洞

Linux kernel is the kernel used by Linux, the open source operating system of the Linux Foundation in the United States. A security vulnerability exists in the Linux kernel that stems from not waiting for asynchronous decryption to complete after a tlsstrpmsghold failure, which could lead to a UA...

CVE-2025-47773

Combodo iTop is a web based IT service management tool. Versions prior to 2.7.13 and 3.2.2 are vulnerable to cross-site scripting when a dashboard is edited via an AJAX call. Versions 2.7.13 and 3.2.2 protect rendered HTML content...

EUVD-2025-84362

The Hydra Booking — Appointment Scheduling & Booking Calendar plugin for WordPress is vulnerable to unauthorized booking cancellation in all versions up to, and including, 1.1.27. This is due to the plugin's "tfhbmeetingformsubmitcallback" function using insufficiently random values to generate...

kernel: afs: Fix lock recursion

In the Linux kernel, the following vulnerability has been resolved: afs: Fix lock recursion afswakeupasynccall can incur lock recursion. The problem is that it is called from AFRXRPC whilst holding the -notifylock, but it tries to take a ref on the afscall struct in order to pass it to a work que...

EUVD-2025-74048

The WP Go Maps formerly WP Google Maps WordPress plugin before 9.0.48 does not sanitize user input provided via an AJAX action, allowing unauthenticated users to store XSS payloads which are later retrieved from another AJAX call and output unescaped...

EUVD-2025-60969

The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the cryptodeletejson method with only a...

CVE-2025-11237

The Make Email Customizer for WooCommerce WordPress plugin through 1.0.6 lacks proper authorization checks and option validation in its AJAX actions, allowing any authenticated user, such as a Subscriber, to update arbitrary WordPress options...

CVE-2025-11988 Crypto Tool <= 2.22 - Missing Authentication to Unauthenticated Limited File Deletion

The Crypto plugin for WordPress is vulnerable to unauthorized manipulation of data in all versions up to, and including, 2.22. This is due to the plugin registering an unauthenticated AJAX action wpajaxnoprivcryptoconnectajaxprocess that allows calling the cryptodeletejson method with only a...

PT-2025-46300

Name of the Vulnerable Software and Affected Versions WP Go Maps formerly WP Google Maps versions prior to 9.0.48 Description The software does not properly sanitize user-provided input through an AJAX action. This allows unauthenticated users to inject and store malicious code that can be execut...

PT-2025-46266

Name of the Vulnerable Software and Affected Versions Crypto plugin for WordPress versions prior to 2.23 Description The software is susceptible to information exposure due to an unauthenticated AJAX action, wp ajax nopriv crypto connect ajax process, which allows calling the register and savenft...