CVE-2025-8965 linlinjava litemall Endpoint AdminStorageController.java create unrestricted upload

A vulnerability has been found in linlinjava litemall up to 1.8.0. This vulnerability affects the function create of the file litemall-admin-api/src/main/java/org/linlinjava/litemall/admin/web/AdminStorageController.java of the component Endpoint. The manipulation of the argument File leads to...

Apache CXF < 3.6.8 / 4.x < 4.0.9 / 4.1.x < 4.1.3 RCE (CVE-2025-48913)

The version of Apache CXF installed on the remote host is affected by remote code execution vulnerability. If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restrict...

Security update for chromium (important)

openSUSE Security Update: Security update for chromium Announcement ID: openSUSE-SU-2025:0297-1 Rating: important References: 1247981 Cross-References: CVE-2025-8879 CVE-2025-8880 CVE-2025-8881 CVE-2025-8882 CVE-2025-8901 Affected Products: openSUSE Backports SLE-15-SP6 An update that fixes 5...

CVE-2011-10019 Spreecommerce < 0.60.2 Search Parameter RCE

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the searchsend parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute...

CVE-2011-10019 Spreecommerce < 0.60.2 Search Parameter RCE

Spreecommerce versions prior to 0.60.2 contains a remote command execution vulnerability in its search functionality. The application fails to properly sanitize input passed via the searchsend parameter, which is dynamically invoked using Ruby’s send method. This allows attackers to execute...

CVE-2011-10019

Spreecommerce before 0.60.2 is vulnerable to remote command execution via the search[send][] input, which is dynamically invoked using Ruby’s send method and not properly sanitized. This allows an unauthenticated attacker to execute arbitrary shell commands on the server. Affected component: sear...

ALPINE-CVE-2025-53859

NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happe...

AZL-66311 CVE-2025-53859 affecting package nginx for versions less than 1.25.4-5

NGINX Open Source and NGINX Plus have a vulnerability in the ngxmailsmtpmodule that might allow an unauthenticated attacker to over-read NGINX SMTP authentication process memory; as a result, the server side may leak arbitrary bytes sent in a request to the authentication server. This issue happe...

CVE-2025-55166 svg-sanitizer By-Passing Attribute Sanitization

savg-sanitizer is a PHP SVG/XML sanitizer. Prior to version 0.22.0, the sanitization logic in the cleanXlinkHrefs method only searches for lower-case attribute name, which allows to by-pass the isHrefSafeValue check. As a result this allows cross-site scripting or linking to external domains. Thi...

August 12, 2025—KB5063880 (OS Build 20348.4052)

August 12, 2025—KB5063880 OS Build 20348.4052 Windows Secure Boot certificate expirationImportant: Secure Boot certificates used by most Windows devices are set to expire starting in June 2026. Microsoft has been updating these certificates on consumer and non-managed business devices for the pas...

Secure Authentication Via Quantum Physical Unclonable Functions: a Review

Quantum Physical Unclonable Functions QPUFs offer a physically grounded approach to secure authentication, extending the capabilities of classical PUFs. This review covers their theoretical foundations and key implementation challenges - such as quantum memories and Haar-randomness -, and...

GO-2025-3854 OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao

OpenBao has a Timing Side-Channel in the Userpass Auth Method in github.com/openbao/openbao. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability...

GO-2025-3848 HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault

HashiCorp Vault ldap auth method may not have correctly enforced MFA in github.com/hashicorp/vault...

BIT-LIBPYTHON-2022-42919

Python 3.9.x before 3.9.16 and 3.10.x before 3.10.9 on Linux allows local privilege escalation in a non-default configuration. The Python multiprocessing library, when used with the forkserver start method on Linux, allows pickles to be deserialized from any user in the same machine local network...

Command Injection

codeigniter4/framework is vulnerable to Command Injection. The vulnerability is due to improper handling of user-controlled filenames and text content when using the ImageMagick imagick handler in the resize or text methods, which allows an attacker to execute arbitrary shell commands by supplyin...

AZL-66171 CVE-2025-8747 affecting package keras for versions less than 3.3.3-3

A safe mode bypass vulnerability in the Model.loadmodel method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive...

CVE-2025-8747 Keras safe_mode bypass allows arbitrary code execution when loading a malicious model.

A safe mode bypass vulnerability in the Model.loadmodel method in Keras versions 3.0.0 through 3.10.0 allows an attacker to achieve arbitrary code execution by convincing a user to load a specially crafted .keras model archive...

CVE-2025-54999

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

Keras 安全漏洞

Keras is a multi-backend deep learning framework open-sourced by Keras. A security vulnerability exists in Keras versions 3.0.0 through 3.10.0, which stems from a safe mode bypass in the Model.loadmodel method that could lead to arbitrary code execution...

CVE-2025-48913

A flaw was found in org.apache.cxf/cxf, where untrusted users can configure JMS to allow the specification of RMI or LDAP URLs, possibly leading to code execution. This vulnerability allows an attacker to provide malicious protocol URLs during JMS configuration. Mitigation To reduce risk,...