Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by a remote attack to the root directory which results in a Denial of Service (DoS) condition

Summary IBM Engineering Lifecycle Management could allow an unauthenticated remote attacker to update server configuration files which would allow them to perform unauthorized actions, subsequently leading to a Denial of Service condition. The associated CVE is addressed. Vulnerability Details...

CVE-2025-41000

Cross-Frame Scripting XFS vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the user, so it is perceive...

Mind the Gap: Evaluating Model- and Agentic-Level Vulnerabilities in LLMs with Action Graphs

As large language models transition to agentic systems, current safety evaluation frameworks face critical gaps in assessing deployment-specific risks. We introduce AgentSeer, an observability-based evaluation framework that decomposes agentic executions into granular action and component graphs,...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server traditional is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary There is a vulnerability in Apache Commons FileUpload which affects IBM WebSphere Application Server traditional and affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. It has been addressed in this...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server is affected by a denial of service with glassfish jsonp (CVE-2025-36097)

Summary IBM WebSphere Application Server and WebSphere Application Server Liberty are affected by a denial of service. This affects WebSphere Liberty with the jsonp-1.0, jsonp-1.1, or jsonp-2.0 features enabled. It has been addressed in this bulletin. Vulnerability Details Refer to the security...

Security Bulletin: The IBM Engineering Test Management product using WebSphere Application Server traditional could allow a remote attacker to bypass security restrictions (CVE-2024-56339)

Summary IBM WebSphere Application Server and Webphere Application Server Liberty are affected by a security bypass caused by a failure to honor security configuration. It has been addressed in this bulletin. Vulnerability Details Refer to the security bulletins listed in the Remediation/Fixes...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a security bypass in JMS messaging (CVE-2025-36124)

Summary IBM WebSphere Application Server Liberty is affected by a security bypass vulnerability in JMS messaging with the wasJmsServer-1.0, wasJmsSecurity-1.0, wasJmsClient-2.0, messagingServer-3.0, messagingSecurity-3.0, or messagingClient-3.0 feature enabled. Following IBM® Engineering Lifecycl...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a denial of service due to Apache Commons FileUpload (CVE-2025-48976)

Summary There is a vulnerability in Apache Commons FileUpload which affects IBM WebSphere Application Server traditional and affects IBM WebSphere Application Server Liberty with the servlet-3.0, servlet-3.1, servlet-4.0, servlet-5.0 or servlet-6.0 feature enabled. Following IBM® Engineering...

Security Bulletin: The IBM® Engineering Lifecycle Management products using WebSphere Application Server Liberty is affected by a denial of service (CVE-2025-36000)

Summary IBM WebSphere Application Server Liberty is affected by a stored cross-site scripting vulnerability with the adminCenter-1.0 feature enabled. Following IBM® Engineering Lifecycle Management products are vulnerable to this attack, it has been addressed in this bulletin: Jazz Foundation,...

Insufficient validation in the Drag and Drop API in conjunction with social engineering, may have allowed an attacker to trick end-users into creating a shortcut to local system files. This could have been leveraged to execute arbitrary code. This vulnerability affects Firefox < 115.

...

CVE-2025-41000

Cross-Frame Scripting XFS vulnerability in BoomCMS v9.1.4 from UXB London. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript. This type of attack is based on social engineering and depends entirely on the browser chosen by the user, so it is perceive...

PT-2025-35710

Name of the Vulnerable Software and Affected Versions: BoomCMS version 9.1.4 Description: This issue is a Cross-Frame Scripting XFS vulnerability. XFS is a web attack technique that exploits specific browser bugs to spy on users via JavaScript and relies on social engineering. It is perceived as ...

SunPower PVS6

RISK EVALUATION Successful exploitation of this vulnerability could allow attackers to gain full access to the device, enabling them to replace firmware, modify settings, disable the device, create SSH tunnels, and manipulate attached devices. 2. RECOMMENDED PRACTICES CISA recommends users take...

Security Bulletin: IBM Engineering Lifecycle Management - Jazz Foundation is impacted by vulnerabilities in CKEditor 4.19

Summary Vulnerabiltiies have been identified in CKEditor 4.19, which is used in IBM Engineering Lifecycle Management - Jazz Foundation. Vulnerability Details CVEID:CVE-2024-24816 DESCRIPTION: CKEditor4 is an open source what-you-see-is-what-you-get HTML editor. A cross-site scripting vulnerabilit...

Linux Distros Unpatched Vulnerability : CVE-2022-24349

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An authenticated user can create a link with reflected XSS payload for actions' pages, and send it to other users. Malicious code has access to all the same...

Linux Distros Unpatched Vulnerability : CVE-2023-0450

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab affecting all versions starting from 8.1 to 15.8.5, and from 15.9 to 15.9.4, and from 15.10 to 15.10.1. It was possible t...

Linux Distros Unpatched Vulnerability : CVE-2023-2013

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue has been discovered in GitLab CE/EE affecting all versions starting from 1.2 before 15.10.8, all versions starting from 15.11 before 15.11.7, all...

MixShell Malware Delivered via Contact Forms Targets U.S. Supply Chain Manufacturers

Cybersecurity researchers are calling attention to a sophisticated social engineering campaign that's targeting supply chain-critical manufacturing companies with an in-memory malware dubbed MixShell. The activity has been codenamed ZipLine by Check Point Research. "Instead of sending unsolicited...

Linux Distros Unpatched Vulnerability : CVE-2019-6795

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in GitLab Community and Enterprise Edition before 11.5.8, 11.6.x before 11.6.6, and 11.7.x before 11.7.1. It has Insufficient Visual...

CVE-2025-55619

Reolink v4.54.0.4.20250526 was discovered to contain a hardcoded encryption key and initialization vector. An attacker can leverage this vulnerability to decrypt access tokens and web session tokens stored inside the app via reverse engineering...