CVE-2025-3594

Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to 1 add files to arbitrary locations on the server and 2 download and...

CVE-2025-40727 Reflected Cross-Site Scripting (XSS) in Phoenix CMS

A Reflected Cross Site Scripting XSS vulnerability was found in '/search' in Phoenix Site CMS from Phoenix, which allows remote attackers to execute arbitrary code via 's' GET parameter...

Malicious code in zxdb (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 4b6e6fbdc6289a7a4946e72303aaeb98c9b837470df312ade4e634a7fa81fa52 Any computer that has this package installed or running should be considered...

CVE-2025-49468

A SQL injection vulnerability in No Boss Calendar component before 5.0.7 for Joomla was discovered. The vulnerability allows remote authenticated users to execute arbitrary SQL commands via the idmodule parameter...

CVE-2025-47959

Improper neutralization of special elements used in a command 'command injection' in Visual Studio allows an authorized attacker to execute code over a network...

Malicious code in customdropdownadapter (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 3e29bf2cb2ca6349ffa2030e7ae2a9d4f49fb302fc084fb3ace37e76b543b502 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

SUSE CVE-2025-22236

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions = 3007.0...

CVE-2025-22236

Minion event bus authorization bypass. An attacker with access to a minion key can craft a message which may be able to execute a job on other minions = 3007.0...

CVE-2025-46874

Adobe Experience Manager versions 6.5.22 and earlier are affected by a reflected Cross-Site Scripting XSS vulnerability. If a low privileged attacker is able to convince a victim to visit a URL referencing a vulnerable page, malicious JavaScript content may be executed within the context of the...

CVE-2025-46863 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)

Adobe Experience Manager versions 6.5.22 and earlier are affected by a stored Cross-Site Scripting XSS vulnerability that could be abused by a low privileged attacker to inject malicious scripts into vulnerable form fields. Malicious JavaScript may be executed in a victim’s browser when they brow...

CVE-2025-29828

Missing release of memory after effective lifetime in Windows Cryptographic Services allows an unauthorized attacker to execute code over a network...

Microsoft Windows Installer Service Link Following Local Privilege Escalation Vulnerability

This vulnerability allows local attackers to escalate privileges on affected installations of Microsoft Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The specific flaw exists within the Windows...

CVE-2025-41362 Code injection vulnerability in IDF and ZLF

Code injection vulnerability in IDF v0.10.0-0C03-03 and ZLF v0.10.0-0C03-04. This vulnerability allows an attacker to store malicious payload in software that will run in the victim's browser. Exploiting this vulnerability requires authenticating to the device and executing certain commands that...

Malicious code in arc-offsec-custom-library6 (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 05c0ad6a05bb523b5d5f58ae559288cd55c8c2019374a44703101d1efff52f1b Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Arbitrary File Upload

xyz.erupt, erupt is vulnerable to arbitrary file upload. The vulnerability is due to improper validation in the /upload/GoodsCategory/image component, allowing attackers to upload crafted files and execute arbitrary code...

MAL-2025-4707 Malicious code in virtru-private (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 60777031b508b2b27184e7bcdd9afb52ab3ca2e19bda0d7d4dee9333e7ff1190 Any computer that has this package installed or running should be considered...

CVE-2025-5680

A vulnerability classified as critical was found in Shenzhen Dashi Tongzhou Information Technology AgileBPM up to 2.5.0. Affected by this vulnerability is the function executeScript of the file /src/main/java/com/dstz/sys/rest/controller/SysScriptController.java of the component Groovy Script...

Malicious code in world-id-poap (npm)

The package communicates with a domain associated with malicious activity. --- -= Per source details. Do not edit below this line.=- Source: ossf-package-analysis bdb64432a67fa7109c5ee4d1d5b94d0127eaedab876302eb3b246ae55b111498 The OpenSSF Package Analysis project identified 'world-id-poap' @ 1.0...

CVE-2025-27955

Clinical Collaboration Platform 12.2.1.5 has a weak logout system where the session token remains valid after logout and allows a remote attacker to obtain sensitive information and execute arbitrary code...

CVE-2025-27953

An issue in Clinical Collaboration Platform 12.2.1.5 allows a remote attacker to obtain sensitive information and execute arbitrary code via the session management component...