CVE-2025-21981 ice: fix memory leak in aRFS after reset

In the Linux kernel, the following vulnerability has been resolved: ice: fix memory leak in aRFS after reset Fix aRFS accelerated Receive Flow Steering structures memory leak by adding a checker to verify if aRFS memory is already allocated while configuring VSI. aRFS objects are allocated in two...

CVE-2025-2242

An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...

CVE-2025-2242

An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...

CVE-2025-2242

CVE-2025-2242 describes an improper access-control vulnerability in GitLab CE/EE that lets a former instance admin, downgraded to a regular user, retain elevated privileges to groups and projects across GitLab versions 17.4 through 17.8.6, 17.9 through 17.9.3, and 17.10 through 17.10.1. The provi...

CVE-2025-2242

Removed by vendor...

CVE-2025-2242 Incorrect Authorization in GitLab

An improper access control vulnerability in GitLab CE/EE affecting all versions from 17.4 prior to 17.8.6, 17.9 prior to 17.9.3, and 17.10 prior to 17.10.1 allows a user who was an instance admin before but has since been downgraded to a regular user to continue to maintain elevated privileges to...

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment

Impact The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag. 2. There are network connectivity...

CVE-2024-7959 SSRF in open-webui/open-webui

The /openai/models endpoint in open-webui/open-webui version 0.3.8 is vulnerable to Server-Side Request Forgery SSRF. An attacker can change the OpenAI URL to any URL without checks, causing the endpoint to send a request to the specified URL and return the output. This vulnerability allows the...

PT-2025-12191 · Mintplex · Anything-Llm

Name of the Vulnerable Software and Affected Versions: mintplex-labs/anything-llm version 1d9452da2b92 Description: A denial of service issue arises when uploading an audio file with a very low sample rate, causing the site instance to crash. This occurs due to the localWhisper implementation,...

GHSA-W7F9-WQC4-3WXR Mockoon has a Path Traversal and LFI in the static file serving endpoint

Summary A mock API configuration for static file serving following the same approach presented in the documentation page, where the server filename is generated via templating features from user input is vulnerable to Path Traversal and LFI, allowing an attacker to get any file in the mock server...

Linux Distros Unpatched Vulnerability : CVE-2024-39491

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: ALSA: hda: cs35l56: Fix lifetime of csdsp instance The csdsp instance is initialized in the...

Linux Distros Unpatched Vulnerability : CVE-2014-0134

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The instance rescue mode in OpenStack Compute Nova 2013.2 before 2013.2.3 and Icehouse before 2014.1, when using libvirt to spawn images and usecowimages is set...

CVE-2025-27399

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CVE-2025-27399

Summary: Mastodon contains an access-control bug where, when domain blocks/reasons visibility is set to the English string “To logged-in users,” users not yet approved can view the block reasons. Affected versions: before 4.1.23, 4.2.16, and 4.3.4. Impact: instance admins who rely on private doma...

CVE-2025-27399 Mastodon's domain blocks & rationales ignore user approval when visibility set as "users"

Mastodon is a self-hosted, federated microblogging platform. In versions prior to 4.1.23, 4.2.16, and 4.3.4, when the visibility for domain blocks/reasons is set to "users" localized English string: "To logged-in users", users that are not yet approved can view the block reasons. Instance admins...

CVE-2025-21746 Input: synaptics - fix crash when enabling pass-through port

In the Linux kernel, the following vulnerability has been resolved: Input: synaptics - fix crash when enabling pass-through port When enabling a pass-through port an interrupt might come before psmouse driver binds to the pass-through port. However synaptics sub-driver tries to access psmouse...

Mastodon 授权问题漏洞

Mastodon is an open source social networking server based on ActivityPub by Mastodon Open Source. An authorization issue vulnerability exists in Mastodon that stems from an unapproved user being able to view the reason for a domain block, affecting instance administrators who do not wish to make...

CVE-2022-49195

In the Linux kernel, the following vulnerability has been resolved: net: dsa: fix panic on shutdown if multi-chip tree failed to probe DSA probing is atypical because a tree of devices must probe all at once, so out of N switches which call dsatreesetuproutingtable during probe, for N - 1 of them...

tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick t...

tuned: improper sanitization of `instance_name` parameter of the `instance_create()` method

A log spoofing flaw was found in the Tuned package due to improper sanitization of some API arguments. This flaw allows an attacker to pass a controlled sequence of characters; newlines can be inserted into the log. Instead of the 'evil' the attacker could mimic a valid TuneD log line and trick t...