JLSEC-2025-301 A flaw was found in tiffcrop, a program distributed by the libtiff package

A flaw was found in tiffcrop, a program distributed by the libtiff package. A specially crafted tiff file can lead to an out-of-bounds read in the extractImageSection function in tools/tiffcrop.c, resulting in a denial of service and limited information disclosure. This issue affects libtiff...

JLSEC-2025-314 A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection() at tools/tiffcro...

A heap-buffer-overflow vulnerability was found in LibTIFF, in extractImageSection at tools/tiffcrop.c:7916 and tools/tiffcrop.c:7801. This flaw allows attackers to cause a denial of service via a crafted tiff file...

CVE-2025-12970

The extractname function in Fluent Bit indocker input plugin copies container names into a fixed size stack buffer without validating length. An attacker who can create containers or control container names, can supply a long name that overflows the buffer, leading to process crash or arbitrary...

MAL-2025-190956 Malicious code in docusaurus-plugin-vanilla-extract (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2659e389b89fcdf1fe723b544962764d4f2881cae9694dc4107fbbb4ec077328 The package docusaurus-plugin-vanilla-extract was found to contain malicious code. Source: ghsa-malware...

EUVD-2025-199087

Malicious code in docusaurus-plugin-vanilla-extract npm...

Malicious code in docusaurus-plugin-vanilla-extract (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2659e389b89fcdf1fe723b544962764d4f2881cae9694dc4107fbbb4ec077328 The package docusaurus-plugin-vanilla-extract was found to contain malicious code. Source: ghsa-malware...

Cinnamon kotaemon 安全漏洞

Cinnamon kotaemon is a RAG-based open source tool from Cinnamon Open Source. A security vulnerability exists in Cinnamon kotaemon version 0.11.0, which stems from a failure of the mayextractzip function to check the contents of a ZIP file, which could lead to resource exhaustion...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal in the extractPackageTarball function. An attacker can write arbitrary files to unintended locations on the server by supplying a malicious tarball with crafted file paths and leveraging the X-Npmrc header to specify...

CVE-2025-13035 Code Snippets <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract on attacker-controlled shortcode attributes within the evaluateshortcodefromflatfile method, which can be used to overwrite the...

WordPress Code Snippets plugin <= 3.9.1 - Authenticated (Contributor+) PHP Code Injection via extract() and PHP Filter Chains vulnerability

Authenticated Contributor+ PHP Code Injection via extract and PHP Filter Chains vulnerability discovered by mikemyers in WordPress Plugin Code Snippets versions = 3.9.1...

EUVD-2025-197914

Observable Timing Discrepancy CWE-208 in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a distributed in 9.30.2881 MR3, 9.2...

CVE-2025-52457

Observable Timing Discrepancy CWE-208 in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a distributed in 9.30.2881 MR3, 9.2...

CVE-2025-52457

Observable Timing Discrepancy CWE-208 in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a distributed in 9.30.2881 MR3, 9.2...

PT-2025-47240

Observable Timing Discrepancy CWE-208 in HBUS devices may allow an attacker with physical access to the device to extract device-specific keys, potentially compromising further site security. This issue affects Command Centre Server: 9.30 prior to vCR9.30.251028a distributed in 9.30.2881 MR3, 9.2...

HSEC-2023-0014 Arbitrary file write is possible when using PDF output or --extract-media with untrusted input

Arbitrary file write is possible when using PDF output or --extract-media with untrusted input Pandoc is susceptible to an arbitrary file write vulnerability, which can be triggered by providing a specially crafted image element in the input when generating files using the --extract-media option ...

EUVD-2025-177835

Malicious code in mini-css-extract-plugin-meissa-chai-ganymede npm...

EUVD-2025-179228

Malicious code in dynamo-mini-css-extract-plugin-cosmicsilence-frontend npm...

EUVD-2025-178484

Malicious code in hydra-hawkingradiation-markdownlint-mini-css-extract-plugin npm...

EUVD-2025-177832

Malicious code in mini-css-extract-plugin-radiant-axios-sirius npm...

EUVD-2025-175468

Malicious code in xo-mini-css-extract-plugin-vega-koa npm...