GHSA-78PR-C5X5-JGGC FlowiseAI: Assistant create+update mass-assignment allows cross-workspace assistant takeover

Summary Type: Mass assignment via Object.assignentity, body - client-controlled workspaceId and on create, id overwritten on the Assistant entity - cross-workspace data takeover and IDOR. File: packages/server/src/services/assistants/index.ts Root cause: The Assistant controller/service construct...

OESA-2026-1215 assimp security update

Assimp is a library to load and process geometric scenes from various data formats. Assimp aims to provide a full asset conversion pipeline for use in game engines and real-time rendering systems of any kind, but is not limited to this purpose. Security Fixes: A vulnerability was found in Open...

Moodle Prompt Injection Vulnerability (MSA-25-0053)

Moodle is prone to a prompt injection vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:moodle:moodle"; ifdescriptio...

EUVD-2024-19966

Malicious code in bioql PyPI...

HFS user adding a "web link" in HFS is vulnerable to "target=_blank" exploit

Summary When adding a "web link" to the HFS virtual filesystem, the frontend opens it with target="blank" but without the rel="noopener noreferrer" attribute. This allows the opened page to use the window.opener property to change the location of the original HFS tab. Details While most modern...

PT-2025-30672 · Wwbn · Avideo

Name of the Vulnerable Software and Affected Versions: WWBN AVideo versions 14.4 and dev master commit 8a8954ff Description: A race condition exists in the aVideoEncoder.json.php unzip functionality. A series of specially crafted HTTP requests can lead to arbitrary code execution. Recommendations...

Oracle OpenJDK 8.x - 24.x Multiple Vulnerabilities (Jul 2025)

Oracle OpenJDK is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:oracle:openjdk"; ifdescripti...

WordPress Sala Theme <= 1.1.3 is vulnerable to Broken Access Control

Software Sala Type Theme Vulnerable versions = 1.1.3 Fixed in N/A OWASP Top 10 A1: Broken Access Control Classification Broken Access Control CVE CVE-2025-52803 Patch priority High CVSS severity High 7.5 Developer Claim ownership PSID 485a6b36a4e6 Credits Thái An Required privilege Unauthenticate...

PT-2025-24233 · Implecode · Implecode Product Catalog Simple

Name of the Vulnerable Software and Affected Versions: impleCode Product Catalog Simple versions 1.8.1 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for Stored Cross-site Scripting XSS. This means that an attacker can...

WordPress WP Guppy plugin <= 4.3.3 - SQL Injection Vulnerability

SQL Injection Vulnerability discovered by Trương Hữu Phúc truonghuuphuc in WordPress Plugin WP Guppy versions = 4.3.3...

CVE-2021-29534

TensorFlow is an end-to-end open source platform for machine learning. An attacker can trigger a denial of service via a CHECK-fail in tf.rawops.SparseConcat. This is because the...

Security Bulletin: IBM® Db2® is affected by a vulnerability in the netty library. (CVE-2024-47535, CVE-2025-25193)

Summary IBM® Db2® is vulnerable to a denial of service due to unsafe environment file loading. Vulnerability Details CVEID:CVE-2024-47535 DESCRIPTION: Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers &...

Debian: Security Advisory (DLA-4126-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2025-25808

Name of the Vulnerable Software and Affected Versions Linux kernel versions prior to the version that includes the fix for this issue Description A vulnerability in the Linux kernel has been resolved. The issue occurs when calling core::fmt::write from Rust code while FineIBT is enabled, resultin...

PT-2025-15580 · Microsoft · Autoupdate

Name of the Vulnerable Software and Affected Versions: Microsoft AutoUpdate MAU affected versions not specified Description: The issue is related to improper privilege management, allowing an authorized attacker to elevate privileges locally. Recommendations: At the moment, there is no informatio...

PT-2025-3463 · Sourcecodester · Sourcecodester Packers/Movers Management System

Name of the Vulnerable Software and Affected Versions: SourceCodester Packers and Movers Management System version 1.0 Description: The issue concerns a Cross Site Scripting XSS problem in the Users.php file. An attacker can inject a malicious script into the username or name field during user...

Debian: Security Advisory (DLA-4009-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2024-34784 · Unknown · Mdr Webmaster Tools

Name of the Vulnerable Software and Affected Versions: MDR Webmaster Tools versions n/a through 1.1 Description: The issue is a Cross-Site Request Forgery CSRF vulnerability that allows Stored XSS. This means an attacker can trick a user into performing unintended actions on a web application, an...

librawspeed: Use-of-uninitialized-value in rawspeed::RawImageData::checkMemIsInitialized

Project: https://github.com/darktable-org/rawspeed.git Detailed report: https://oss-fuzz.com/testcase?key=5848500820508672 Project: librawspeed Fuzzer: libFuzzerlibrawspeedTiffParserFuzzer-GetDecoder-Decode Fuzz target binary: TiffParserFuzzer-GetDecoder-Decode Job Type: libfuzzermsanlibrawspeed...

OZJournals 2.1.1 - &#039;id&#039; File Disclosure

Name: OZJournals 2.1.1 Webiste: http://www.aqonlinenetworks.com/ Vulnerability type: Local File Exposure Author: shinmai, 2008-01-21 Description: OZJournals uses .php-files as it's storage, and posts are read from them with the getcontents-function. This protects from traditional LFI-exploits, bu...