PT-2025-12970 · Icinga +1 · Icinga Web 2 +1

Name of the Vulnerable Software and Affected Versions: Icinga Web 2 versions prior to 2.11.5 Icinga Web 2 versions prior to 2.12.13 Description: A vulnerability in Icinga Web 2 allows an attacker to craft a URL that, once visited by any user, enables the embedding of arbitrary Javascript into...

PT-2025-12941 · Icinga +1 · Icinga Web 2 +1

Name of the Vulnerable Software and Affected Versions: Icinga Web 2 versions prior to 2.11.5 Icinga Web 2 versions prior to 2.12.13 Description: A vulnerability in Icinga Web 2 allows an attacker to craft a URL that, once visited by any user, enables the embedding of arbitrary Javascript into...

Exploit for Use After Free in Microsoft

CVE-2025-21298 content This is a proof-of-concept for CV...

GHSA-VF6X-59HH-332F Formwork has a cross-site scripting (XSS) vulnerability in Site title

Summary The site title field at /panel/options/site/allows embedding JS tags, which can be used to attack all members of the system. This is a widespread attack and can cause significant damage if there is a considerable number of users. Impact The attack is widespread, leveraging what XSS can do...

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message...

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message...

CVE-2025-0513

In affected versions of Octopus Server error messages were handled unsafely on the error page. If an adversary could control any part of the error message they could embed code which may impact the user viewing the error message...

PT-2025-6190 · Unknown · Octopus Server

Name of the Vulnerable Software and Affected Versions: Octopus Server affected versions not specified Description: The issue arises from the unsafe handling of error messages on the error page in affected versions of Octopus Server. If an adversary can control any part of the error message, they...

CVE-2025-20128

A vulnerability in the Object Linking and Embedding 2 OLE2 decryption routine of ClamAV could allow an unauthenticated, remote attacker to cause a denial of service DoS condition on an affected device. This vulnerability is due to an integer underflow in a bounds check that allows for a heap buff...

GHSA-FCR8-4R9F-R66M nbgrader's `frame-ancestors: self` grants all users access to formgrader

Impact Enabling frame-ancestors: 'self' grants any JupyterHub user the ability to extract formgrader content by sending malicious links to users with access to formgrader, at least when using the default JupyterHub configuration of enablesubdomains = False. 1915 disables a protection which would...

CVE-2025-21298

Windows OLE Remote Code Execution Vulnerability...

Microsoft OLE 资源管理错误漏洞

Microsoft OLE is an object-oriented technology from Microsoft Corporation USA. A resource management error vulnerability exists in Microsoft OLE. An attacker exploiting this vulnerability could remotely execute code. The following products and versions are affected:Windows Server 2019 Server Core...

January 7, 2025, update for PowerPoint 2016 (KB5002632)

January 7, 2025, update for PowerPoint 2016 KB5002632 This article describes update 5002632 for Microsoft PowerPoint 2016 that was released on January 7, 2025.Be aware that the update in the Microsoft Download Center applies to the Microsoft Installer .msi-based edition of Office 2016. It doesn't...

PT-2025-39414

Name of the Vulnerable Software and Affected Versions TensorFlow version 2.18.0 Description TensorFlow version 2.18.0 exhibits a behavior where it outputs random results during the compilation of the Embedding component. This can lead to unpredictable application behavior. Recommendations At the...

AI Under the Microscope—What’s Changed in the OWASP Top 10 for LLMs 2025

As AI continues to evolve, so do the threats and vulnerabilities that surround Large Language Models LLMs. The OWASP Top 10 for LLM Applications 2025 introduces critical updates that reflect the rapid changes in how these models are applied in real-world scenarios. While the list includes...

Decidim 跨站脚本漏洞

Decidim is an open source participatory democracy framework from Decidim, written in Ruby on Rails. A cross-site scripting vulnerability exists in Decidim versions 0.28.0, 0.28.1, and 0.28.2, which stems from a potential cross-site scripting attack on meeting embedding functionality used in onlin...

Information Exposure

Overview open-webui is an Open WebUI Affected versions of this package are vulnerable to Information Exposure due to the embedding model update feature under admin settings. An attacker can expose sensitive information by observing error messages that vary based on the file's existence and...

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

CVE-2024-7038

An information disclosure vulnerability exists in open-webui version 0.3.8. The vulnerability is related to the embedding model update feature under admin settings. When a user updates the model path, the system checks if the file exists and provides different error messages based on the existenc...

CVE-2024-7038

CVE-2024-7038 describes an information disclosure in open-webui v0.3.8 where the embedding model update feature under admin settings reveals different error messages based on file existence/configuration. This enables an attacker to enumerate file names and traverse directories, exposing sensitiv...