Node.js: Node.js permission model bypass via unchecked Unix Domain Socket connections (UDS)

A flaw was discovered in Node.js's permission model that allowed Unix Domain Socket UDS connections to bypass network restrictions when --permission was enabled. Even without --allow-net, attacker-controlled inputs could connect to arbitrary local sockets via net, tls, or undici/fetch, breaking t...

AZL-72862 CVE-2025-67899 affecting package uriparser 0.9.7-2

uriparser through 0.9.9 allows unbounded recursion and stack consumption, as demonstrated by ParseMustBeSegmentNzNc with large input containing many commas...

CVE-2025-7960 King Addons for Elementor <= 51.1.39 - Authenticated (Contributor+) Stored Cross-Site Scripting via Multiple Widgets

The King Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's Pricing Slider, Pricing Calculator, and Image Accordion widgets in all versions up to, and including, 51.1.39 due to insufficient input sanitization and output escaping on user supplie...

Command Injection

Cybersecurity AI CAI is vulnerable to Command Injection. The vulnerability is due to insufficient input sanitization in the runsshcommandwithcredentials function, where the username, host, and port parameters are not properly escaped, allowing attackers to inject malicious commands...

Remote Code Execution (RCE)

vllm is vulnerable to Remote Code Execution RCE. The vulnerability is due to improper parsing of tool call inputs, which allows an attacker to execute arbitrary code through crafted payloads...

Cross-Site Scripting (XSS)

magento is vulnerable to Cross-Site Scripting XSS. The vulnerability is due to insufficient sanitization of user input in form fields, which allows an attacker to inject malicious scripts that execute in a victim’s browser when the affected page is viewed...

Information Disclosure

react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack, next and vitejs/plugin-rsc is vulnerable to an Information Disclosure. The vulnerability is due to unsafe handling of stringified arguments in React Server Components RSC Server Functions, where a specifically crafted...

WordPress plugin Colibri Page Builder 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripti...

WordPress plugin WP to LinkedIn Auto Publish 跨站脚本漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to set up personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A cross-site scripti...

EUVD-2024-55331

Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially...

WordPress plugin Visitor Logic Lite 代码问题漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a blogging platform developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. A code issue...

CVE-2024-58301

Purei CMS 1.0 contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through unfiltered user input parameters. Attackers can exploit vulnerable endpoints like getAllParks.php and events-ajax.php by injecting crafted SQL payloads to potentially...

rexml: REXML denial of service

A denial of service flaw has been discovered in the rubygem REXML. Certain input can cause excess cpu usage and given sufficiently large input this can affect program performance...

CVE-2025-67511 Cybersecurity AI (CAI) vulnerable to Command Injection in run_ssh_command_with_credentials Agent tool

Cybersecurity AI CAI is an open-source framework for building and deploying AI-powered offensive and defensive automation. Versions 0.5.9 and below are vulnerable to Command Injection through the runsshcommandwithcredentials function, which is available to AI agents. Only password and command...

rexml: REXML denial of service

A denial of service flaw has been discovered in the rubygem REXML. Certain input can cause excess cpu usage and given sufficiently large input this can affect program performance...

CVE-2025-65296

NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.60027, Hub M3 4.3.60025, and Camera Hub G3 4.1.90027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs...

CVE-2025-65296

NULL-pointer dereference vulnerabilities in Aqara Hub M2 4.3.60027, Hub M3 4.3.60025, and Camera Hub G3 4.1.90027 in the JSON processing enable denial-of-service attacks through malformed JSON inputs...

PT-2025-50480

Name of the Vulnerable Software and Affected Versions Adobe Experience Manager versions 6.5.23 and earlier Description A stored Cross-Site Scripting XSS issue exists in Adobe Experience Manager. A low privileged attacker could inject malicious scripts into vulnerable form fields. Execution of...

EUVD-2025-201886

Robocode vulnerable to Directory Traversal in recursivelyDelete Method...

CVE-2025-14284

Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting XSS due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload in...