CVE-2024-37361

CVE-2024-37361 affects Hitachi Vantara Pentaho Business Analytics Server. The flaw is deserialization of untrusted JSON data caused by not constraining the parser to approved classes/methods, enabling potentially dangerous gadget chains during deserialization. Affected versions include before 10....

PT-2025-7249 · Unknown · Orml Rewards

Name of the Vulnerable Software and Affected Versions: ORML Rewards pallet versions prior to the fixed version Description: A vulnerability in the add share function can lead to an uncaught Rust panic when handling user-provided input exceeding the u128 range. This issue affects any Substrate-bas...

Hickory DNS's DNSSEC validation may accept broken authentication chains

Summary The DNSSEC validation routines treat entire RRsets of DNSKEY records as trusted once they have established trust in only one of the DNSKEYs. As a result, if a zone includes a DNSKEY with a public key that matches a configured trust anchor, all keys in that zone will be trusted to...

CVE-2025-25188 DNSSEC validation may accept broken authentication chains

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validati...

CVE-2025-25188 DNSSEC validation may accept broken authentication chains

Hickory DNS is a Rust based DNS client, server, and resolver. A vulnerability present starting in version 0.8.0 and prior to versions 0.24.3 and 0.25.0-alpha.5 impacts Hickory DNS users relying on DNSSEC verification in the client library, stub resolver, or recursive resolver. The DNSSEC validati...

Azure Linux 3.0 Security Update: edk2 / hvloader / nodejs18 / openssl (CVE-2023-0464)

The version of edk2 / hvloader / nodejs18 / openssl installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2023-0464 advisory. - A security vulnerability has been identified in all supported versions of OpenS...

GO-2025-3373 Usage of IPv6 zone IDs can bypass URI name constraints in crypto/x509

A certificate with a URI which has a IPv6 address with a zone ID may incorrectly satisfy a URI name constraint that applies to the certificate chain. Certificates containing URIs are not permitted in the web PKI, so this only affects users of private PKIs which make use of URIs...

AZL-55904 CVE-2024-57940 affecting package kernel for versions less than 6.6.76.1-1

In the Linux kernel, the following vulnerability has been resolved: exfat: fix the infinite loop in exfatreaddir If the file system is corrupted so that a cluster is linked to itself in the cluster chain, and there is an unused directory entry in the cluster, 'dentry' will not be incremented,...

PT-2026-4476

Name of the Vulnerable Software and Affected Versions Linux kernel affected versions not specified Description The Linux kernel's netfilter module contains an issue within the nf tables component related to chain validation. The vulnerability can lead to CPU soft lock-ups during nft chain validat...

PT-2024-36551 · Unknown · Invoice Ninja

Name of the Vulnerable Software and Affected Versions: Invoice Ninja versions prior to 5.10.43 Description: The issue allows remote code execution from a pre-authenticated route when an attacker knows the APP KEY. This is exacerbated by .env files that have default APP KEY values. The route...

CVE-2019-25220

Bitcoin Core before 24.0.1 allows remote attackers to cause a denial of service daemon crash via a flood of low-difficulty header chains aka a "Chain Width Expansion" attack because a node does not first verify that a presented chain has enough work before committing to store it...

Bitcoin Core 安全漏洞

Bitcoin Core is a Bitcoin open source client for verifying the validity of blockchain transactions. A security vulnerability exists in versions of Bitcoin Core prior to 24.0.1 that stems from a failure to verify that the provided chain has sufficient workload, allowing an attacker to cause a deni...

Deserialization of Untrusted Data

Overview Affected versions of this package are vulnerable to Deserialization of Untrusted Data through the filegetcontents function. An attacker can execute arbitrary code by uploading a file with a malicious phar:// protocol, leading to the deserialization and instantiation of arbitrary PHP...

CVE-2021-3838

DomPDF before version 2.0.0 is vulnerable to PHAR deserialization due to a lack of checking on the protocol before passing it into the filegetcontents function. An attacker who can upload files of any type to the server can pass in the phar:// protocol to unserialize the uploaded file and...

Gnutls: potential crash during chain building/verification

...

Threat actor abuses Gophish to deliver new PowerRAT and DCRAT

Cisco Talos recently discovered a phishing campaign using an open-source phishing toolkit called Gophish by an unknown threat actor. The campaign involves modular infection chains that are either Maldoc or HTML-based infections and require the victim's intervention to trigger the infection chain...

Researchers Uncover Hijack Loader Malware Using Stolen Code-Signing Certificates

Cybersecurity researchers have disclosed a new malware campaign that delivers Hijack Loader artifacts that are signed with legitimate code-signing certificates. French cybersecurity company HarfangLab, which detected the activity at the start of the month, said the attack chains aim to deploy an...

CVE-2023-25581

The CVE-2023-25581 entry concerns pac4j-core before 4.0.0, where a Java deserialization vulnerability in UserProfile attributes can be triggered by a serialized object with a {#sb64} prefix and Base64 encoding, potentially leading to RCE. Affected versions are prior to 4.0.0; 4.0.0 and later are ...

CentOS 7 : thunderbird (RHSA-2020:2906)

The remote CentOS Linux 7 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:2906 advisory. - Due to confusion about ValueTags on JavaScript Objects, an object may pass through the type barrier, resulting in memory corruption and a potentially...

CentOS 6 : thunderbird (RHSA-2020:2966)

The remote CentOS Linux 6 host has a package installed that is affected by multiple vulnerabilities as referenced in the RHSA-2020:2966 advisory. - Manipulating individual parts of a URL object could have caused an out-of-bounds read, leaking process memory to malicious JavaScript. This...