CVE-2025-34442

CVE-2025-34442 concerns AVideo versions prior to 20.1 that disclose absolute filesystem paths through multiple public API endpoints, revealing server paths to media files and potentially aiding attackers. Connected sources corroborate public path disclosure and also point to exploitation activity...

PT-2025-51875

Name of the Vulnerable Software and Affected Versions AVideo versions prior to 20.1 Description AVideo versions prior to 20.1 disclose absolute filesystem paths through multiple public API endpoints. The returned metadata includes full server paths to media files, revealing the underlying...

CVE-2025-68288

In the Linux kernel, the following vulnerability has been resolved: usb: storage: Fix memory leak in USB bulk transport A kernel memory leak was identified by the 'ioctlsg01' test from Linux Test Project LTP. The following bytes were mainly observed: 0x53425355. When USB storage devices incorrect...

Authentication Bypass by Alternate Name

Overview org.keycloak:keycloak-services is an open source identity and access management solution for modern applications and services. Affected versions of this package are vulnerable to Authentication Bypass by Alternate Name via the ResourceSetService and PermissionTicketService modules due to...

CVE-2023-53880

CVE-2023-53880 affects Lucee 5.4.2.17, with an authenticated reflected cross-site scripting vulnerability in administrative interface parameters. The vulnerability allows an attacker to craft payloads targeting admin pages such as server.cfm and web.cfm to inject and execute arbitrary JavaScript ...

CVE-2023-53880 Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces

Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScri...

CVE-2023-53880 Lucee 5.4.2.17 Authenticated Reflected Cross-Site Scripting via Admin Interfaces

Lucee 5.4.2.17 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through administrative interface parameters. Attackers can craft specific payloads targeting admin pages like server.cfm and web.cfm to execute arbitrary JavaScri...

Remote Code Execution (RCE)

Keycloak is vulnerable to Remote Code Execution RCE. The vulnerability is due to insecure default binding of the debug JDWP port to all network interfaces in debug mode, which allows an attacker on the same network to attach a debugger and execute arbitrary code...

PT-2025-51100

Encryption is missing on the configuration interface for Growatt ShineLan-X and MIC 3300TL-X. This allows an attacker with access to the network to intercept and potentially manipulate communication requests between the inverter and its cloud endpoint...

CVE-2025-55311

An issue was discovered in Foxit PDF and Editor for Windows and macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and subsequently clear the file's modification status via JavaScript interfaces. This circumvents digital signature verification b...

The Year in Review 2025: AI, APIs, and a Whole Lot of Audacity

...

CVE-2025-55311

Foxit PDF Editor CVE-2025-55311 affects Foxit PDF and Editor on Windows/macOS before 13.2 and 2025 before 2025.2. A crafted PDF can use JavaScript to alter annotation content and clear the file’s modification status, bypassing digital signature verification and undermining trust in signed PDFs. R...

PT-2025-50619

Name of the Vulnerable Software and Affected Versions Foxit PDF and Editor versions prior to 13.2 Foxit PDF and Editor 2025 versions prior to 2025.2 Description A specially crafted PDF document can utilize JavaScript to modify annotation content and then remove the file’s modification status...

CVE-2025-1161

Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation. This issue affects Nomysem: through May 2025...

EUVD-2025-202404

Incorrect Use of Privileged APIs vulnerability in NomySoft Information Technology Training and Consulting Inc. Nomysem allows Privilege Escalation.This issue affects Nomysem: through May 2025...

Arbitrary Remote Code Execution (RCE)

@vitejs/plugin-rsc is vulnerable to arbitrary remote code execution RCE. The vulnerability is due to unsafe dynamic imports in server function APIs, which allows an attacker with network access to execute code on the development server, read or modify files, exfiltrate sensitive data, or pivot to...

CVE-2025-42878

SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability...

PT-2025-50312

Name of the Vulnerable Software and Affected Versions Nomysem versions through May 2025 Description The software contains an issue related to the incorrect use of privileged APIs, which allows for privilege escalation. Recommendations At the moment, there is no information about a newer version...

EUVD-2025-202153

A security issue was discovered in DataMosaix Private Cloud, allowing users with low privilege to perform sensitive database operations through exposed API endpoints...

CVE-2025-42878

SAP Web Dispatcher and ICM may expose internal testing interfaces that are not intended for production. If enabled, unauthenticated attackers could exploit them to access diagnostics, send crafted requests, or disrupt services. This vulnerability has a high impact on confidentiality, availability...