PT-2025-50652

Name of the Vulnerable Software and Affected Versions Ruijie RG-BCR600W affected versions not specified Description An issue exists in Ruijie RG-BCR600W that allows attackers to execute arbitrary commands. This is due to an OS Command Injection flaw triggered by a crafted POST request to the chec...

EUVD-2025-202749

OS Command Injection vulnerability in Ruijie RG-BCR RG-BCR600W allowing attackers to execute arbitrary commands via a crafted POST request to the checkchanges in file /usr/lib/lua/luci/controller/admin/common.lua...

PT-2025-50657

Name of the Vulnerable Software and Affected Versions Ruijie RG-BCR RG-BCR600W affected versions not specified Description An issue exists in Ruijie RG-BCR RG-BCR600W that allows attackers to execute arbitrary commands. This is possible through a crafted POST request to the run tcpdump function...

CVE-2025-56127

The CVE-2025-56127 entry concerns Ruijie RG-BCR RG-BCR600W. The vulnerability is an OS Command Injection in the get_wanobj handler inside /usr/lib/lua/luci/controller/admin/common.lua, triggered by a crafted POST request. The root cause is improper handling of crafted input, enabling execution of...

CVE-2025-56087

CVE-2025-56087 affects Ruijie RG-BCR RG-BCR600W. The OS Command Injection exists in the run_tcpdump handling path: /usr/lib/lua/luci/controller/admin/common_tcpdump.lua, due to unvalidated input in the POST to run_tcpdump. This yields arbitrary command execution with high impact (per CVSS: Networ...

CVE-2025-56111

Affected software: Ruijie RG-BCR RG-BCR860. Issue: OS Command Injection in the netport.lua handler when processing crafted POST to network_set_wan_conf. Impact: attackers can execute arbitrary commands with high severity (CVSS 3.1: AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H). Affected file: /usr/lib/lua...

CVE-2025-56088

CVE-2025-56088 affects Ruijie RG-BCR RG-BCR860. The vulnerability is an OS command injection caused by unvalidated input in the action_service endpoint at /usr/lib/lua/luci/controller/admin/service.lua, exploitable via a crafted POST request. Impact as described: arbitrary command execution with ...

PT-2025-50666

Name of the Vulnerable Software and Affected Versions Ruijie RG-BCR600W affected versions not specified Description An issue exists in Ruijie RG-BCR600W that allows attackers to execute arbitrary commands. This is possible through a crafted POST request to the restart modules function located in...

CVE-2025-67648 Shopware's inproper input validation can lead to Reflected XSS through Storefront Login Page

Shopware is an open commerce platform. Versions 6.4.6.0 through 6.6.10.9 and 6.7.0.0 through 6.7.5.0 have a Reflected XSS vulnerability in AuthController.php. A request parameter from the login page URL is directly rendered within the Twig template of the Storefront login page without further...

EUVD-2025-202459

Jenkins's build authorization token is stored and displayed in plain text...

Jenkins's build authorization token is stored and displayed in plain text

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

GHSA-FXJ7-6V9W-XC76 Jenkins's build authorization token is stored and displayed in plain text

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-67643

Jenkins Redpen - Pipeline Reporter for Jira Plugin 1.054.v7b9517b6b202 and earlier does not correctly perform path validation of the workspace directory while uploading artifacts to Jira, allowing attackers with Item/Configure permission to retrieve files present on the Jenkins controller workspa...

CVE-2025-67637

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-67643

CVE-2025-67643 affects Jenkins Redpen - Pipeline Reporter for Jira Plugin (versions 1.054.v7b_9517b_6b_202 and earlier). The vulnerability is a path traversal flaw: improper validation of the workspace directory path during artifact uploads to Jira, enabling attackers with Item/Configure permissi...

CVE-2025-67637

Jenkins 2.540 and earlier, LTS 2.528.2 and earlier stores build authorization tokens unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system...

CVE-2025-67637

CVE-2025-67637 affects Jenkins 2.540 and earlier, and LTS 2.528.2 and earlier. The issue is that build authorization tokens are stored unencrypted in job config.xml on the Jenkins controller, making them viewable by users with Item/Extended Read permission or with access to the controller filesys...

CVE-2025-62109

Insertion of Sensitive Information Into Sent Data vulnerability in INFINITUM FORM Geo Controller cf-geoplugin allows Retrieve Embedded Sensitive Data.This issue affects Geo Controller: from n/a through = 8.9.4...

CVE-2022-50646

In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsainitone The hpdaallocctlrinfo allocates h and its field replymap. However, in hpsainitone, if allocpercpu failed, the hpsainitone jumps to clean1 directly, which frees h and leaks the...

SUSE CVE-2022-50646

In the Linux kernel, the following vulnerability has been resolved: scsi: hpsa: Fix possible memory leak in hpsainitone The hpdaallocctlrinfo allocates h and its field replymap. However, in hpsainitone, if allocpercpu failed, the hpsainitone jumps to clean1 directly, which frees h and leaks the...