CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

CVE-2025-63388

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

PT-2025-52255

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description A Cross-Origin Resource Sharing CORS misconfiguration exists in the /console/api/system-features endpoint. The endpoint has an overly permissive CORS policy that reflects arbitrary Origin headers and sets...

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

PT-2025-52282

Name of the Vulnerable Software and Affected Versions Dify version 1.9.1 Description Dify version 1.9.1 has an issue with insecure permissions. An attacker who is not authenticated can send HTTP GET requests to the /console/api/system-features API endpoint without providing any authentication. Th...

CVE-2025-63387

Dify v1.9.1 is vulnerable to Insecure Permissions. An unauthenticated attacker can directly send HTTP GET requests to the /console/api/system-features endpoint without any authentication credentials or session tokens. The endpoint fails to implement proper authorization checks, allowing anonymous...

Phishing Detection System: An Ensemble Approach Using Character-Level CNN and Feature Engineering

In actuality, phishing attacks remain one of the most prevalent cybersecurity risks in existence today, with malevolent actors constantly changing their strategies to successfully trick users. This paper presents an AI model for a phishing detection system that uses an ensemble approach to combin...

CVE-2025-63388

A Cross-Origin Resource Sharing CORS misconfiguration vulnerability exists in Dify v1.9.1 in the /console/api/system-features endpoint. The endpoint implements an overly permissive CORS policy that reflects arbitrary Origin headers and sets Access-Control-Allow-Credentials: true, allowing any...

CVE-2025-63387

CVE-2025-63387 affects Dify v1.9.1. An unauthenticated GET request to the endpoint /console/api/system-features bypasses authorization, exposing sensitive system configuration data. This constitutes a broken access control issue described across multiple sources (NVD, nuclei template, VulnCheck K...

CVE-2025-63388

The CVE-2025-63388 entry concerns Dify v1.9.1, specifically the /console/api/system-features endpoint. A misconfigured CORS policy is described as reflecting arbitrary Origin headers and setting Access-Control-Allow-Credentials: true, potentially enabling cross-origin requests to be authenticated...

Important: Red Hat Security Advisory: Red Hat Advanced Cluster Management for Kubernetes 2.11.9 security update

Red Hat Advanced Cluster Management for Kubernetes 2.11 General Availability release images, which add new features and enhancements, bug fixes, and updated container images. Red Hat Advanced Cluster Management for Kubernetes 2.11 images Red Hat Advanced Cluster Management for Kubernetes provides...

CVE-2025-46296

An authorization bypass vulnerability in FileMaker Server Admin Console allowed administrator roles with minimal privileges to access administrative features such as viewing license details and downloading application logs. This vulnerability has been fully addressed in FileMaker Server 22.0.4...

EUVD-2025-203725

In the Linux kernel, the following vulnerability has been resolved: x86/fpu: Ensure XFD state on signal delivery Sean reported 1 the following splat when running KVM tests: WARNING: CPU: 232 PID: 15391 at xfdvalidatestate+0x65/0x70 Call Trace: fpuclearuserstates+0x9c/0x100...

PT-2025-51764

Name of the Vulnerable Software and Affected Versions Apache Commons Text versions prior to 1.10.0 FileMaker Server versions prior to 22.0.4 Description Apache Commons Text versions prior to 1.10.0 contain interpolation features that could be exploited when applications process untrusted input...

Behavior-Aware and Generalizable Defense against Black-Box Adversarial Attacks for ML-Based IDS

Machine learning based intrusion detection systems are increasingly targeted by black box adversarial attacks, where attackers craft evasive inputs using indirect feedback such as binary outputs or behavioral signals like response time and resource usage. While several defenses have been proposed...

PHANTOM: Progressive High-Fidelity Adversarial Network for Threat Object Modeling

The scarcity of cyberattack data hinders the development of robust intrusion detection systems. This paper introduces PHANTOM, a novel adversarial variational framework for generating high-fidelity synthetic attack data. Its innovations include progressive training, a dual-path VAE-GAN...

EUVD-2025-202928

LibreChat is a ChatGPT clone with additional features. In versions 0.8.0 and below, there is no handler for JSON parsing errors; SyntaxError from express.json includes user input in the error message, which gets reflected in responses. User input including HTML/JavaScript can be exposed in error...

CVE-2025-42875

The SAP Internet Communication Framework does not conduct any authentication checks for features that need user identification allowing an attacker to reuse authorization tokens, violating secure authentication practices causing low impact on Confidentiality, Integrity and Availability of the...

Oracle Linux 10 / 9 : Unbreakable Enterprise kernel (ELSA-2025-28040)

The remote Oracle Linux 10 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-28040 advisory. - netfilter: nftables: reject duplicate device on updates Pablo Neira Ayuso Orabug: 38712798 CVE-2025-38678 - ice: fix using untrusted value of...

EUVD-2025-201958

Insertion of Sensitive Information Into Sent Data vulnerability in averta Shortcodes and extra features for Phlox theme auxin-elements allows Retrieve Embedded Sensitive Data.This issue affects Shortcodes and extra features for Phlox theme: from n/a through = 2.17.12...