CVE-2025-54887

jwe is a Ruby implementation of the RFC 7516 JSON Web Encryption JWE standard. In versions 1.1.0 and below, authentication tags of encrypted JWEs can be brute forced, which may result in loss of confidentiality for those JWEs and provide ways to craft arbitrary JWEs. This puts users at risk becau...

LitmusChaos 安全漏洞

LitmusChaos is a program open-sourced by Litmus Chaos that practices chaos engineering in a cloud-native manner. A security vulnerability exists in LitmusChaos 3.19.0 and earlier versions, which stems from improper access control of the parameter projectID in the file /auth/login, which could lea...

PT-2025-32481 · Unknown · Xujeff Tianti 天梯

Name of the Vulnerable Software and Affected Versions: xujeff tianti 天梯 versions prior to 2.3 Description: A critical issue exists in xujeff tianti 天梯, potentially leading to missing authorization. The vulnerability affects unknown code within the /tianti-module-admin/user/ajax/save API endpoint...

CVE-2025-54999 OpenBao: Timing Side-Channel in Userpass Auth Method

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

CVE-2025-54998

CVE-2025-54998 affects OpenBao versions 0.1.0–2.3.1, where an aliasing mismatch between pre-flight and full login user entity attributes allowed bypass of automatic user lockout in Userpass/LDAP auth. The issue is fixed in version 2.3.2. Remediation: upgrade to 2.3.2; as a workaround, apply rate-...

CVE-2012-10053

CVE-2012-10053 affects Simple Web Server 2.2 rc2 and is a stack-based buffer overflow in processing the Connection HTTP header. The server uses vsprintf() without bounds checking, allowing a remote attacker to trigger a stack overflow and execute arbitrary code with the web server process privile...

Linux Distros Unpatched Vulnerability : CVE-2023-52440

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix slub overflow in ksmbddecodentlmsspauthblob If authblob-SessionKey.Length is bigg...

Linux Distros Unpatched Vulnerability : CVE-2025-27154

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Spotipy is a lightweight Python library for the Spotify Web API. The CacheHandler class creates a cache file to store the auth token. Prior to version 2.25.1, t...

Linux Distros Unpatched Vulnerability : CVE-2025-22038

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ksmbd: validate zero numsubauth before subauth is accessed Access psid-subauthpsid-numsubauth - 1 without checking if numsubauth is non-zero leads to an...

HashiCorp Vault ldap auth method may not have correctly enforced MFA

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

The vulnerability of the getAuthCode() function in D-Link DIR-605L router microprogramming software allows a hacker to execute any code with root privileges.

The vulnerability of the getAuthCode function in D-Link DIR-605L router microprogramming software is related to buffer overflows in the CAPTCHA processing stack. Exploiting this vulnerability allows a remote attacker to execute arbitrary commands with root privileges...

kernel: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

A flaw was found in the Linux kernel, where a specially crafted RPC packet could cause data corruption or trigger a system panic. This flaw allows a remote attacker who can make RPC calls to send an intentionally malformed packet, potentially compromising system integrity or causing a denial of...

kernel: sunrpc: handle SVC_GARBAGE during svc auth processing as auth error

A flaw was found in the Linux kernel, where a specially crafted RPC packet could cause data corruption or trigger a system panic. This flaw allows a remote attacker who can make RPC calls to send an intentionally malformed packet, potentially compromising system integrity or causing a denial of...

SUSE CVE-2025-6624

Versions of the package snyk before 1.1297.3 are vulnerable to Insertion of Sensitive Information into Log File through local Snyk CLI debug logs. Container Registry credentials provided via environment variables or command line arguments can be exposed when executing Snyk CLI in DEBUG or...

CVE-2025-6011

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

CVE-2025-6011

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

CVE-2025-6011 Timing Side-Channel in Vault’s Userpass Auth Method

A timing side channel in Vault and Vault Enterprise’s “Vault” userpass auth method allowed an attacker to distinguish between existing and non-existing users, and potentially enumerate valid usernames for Vault’s Userpass auth method. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise...

CVE-2025-6011

CVE-2025-6011 describes a timing side-channel in Vault and Vault Enterprise's userpass authentication that could let an attacker distinguish existing vs non-existing usernames, enabling possible username enumeration. Root cause: timing differences during user existence checks in the Userpass meth...

Malicious code in fulfillment-auth-widget (npm)

The package communicates with a domain associated with malicious activity...