SUSE CVE-2025-67819

An issue was discovered in Weaviate OSS before 1.33.4. Due to a lack of validation of the fileName field in the transfer logic, an attacker who can call the GetFile method while a shard is in the "Pause file activity" state and the FileReplicationService is reachable can read arbitrary files...

CVE-2025-69229 AIOHTTP vulnerable to DoS through chunked messages

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. In versions 3.13.2 and below, handling of chunked messages can result in excessive blocking CPU usage when receiving a large number of chunks. If an application makes use of the request.read method in an endpoint, it...

CVE-2025-69228 AIOHTTP vulnerable to denial of service through large payloads

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow a request to be crafted in such a way that an AIOHTTP server's memory fills up uncontrollably during processing. If an application includes a handler that uses the Request.post method, ...

CVE-2025-69227

AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below allow for an infinite loop to occur when assert statements are bypassed, resulting in a DoS attack when processing a POST body. If optimizations are enabled -O or PYTHONOPTIMIZE=1, and the...

GHSA-JJ3X-WXRX-4X23 AIOHTTP vulnerable to DoS when bypassing asserts

Summary When assert statements are bypassed, an infinite loop can occur, resulting in a DoS attack when processing a POST body. Impact If optimisations are enabled -O or PYTHONOPTIMIZE=1, and the application includes a handler that uses the Request.post method, then an attacker may be able to...

GHSA-F8CM-6447-X5H2 jsPDF has Local File Inclusion/Path Traversal vulnerability

Impact User control of the first argument of the loadFile method in the node.js build allows local file inclusion/path traversal. If given the possibility to pass unsanitized paths to the loadFile method, a user can retrieve file contents of arbitrary files in the local file system the node proce...

PT-2026-1354

Name of the Vulnerable Software and Affected Versions AIOHTTP versions 3.13.2 and below Description AIOHTTP is an asynchronous HTTP client/server framework for asyncio and Python. Versions 3.13.2 and below are susceptible to a denial of service condition. An attacker can craft a request that caus...

PT-2026-1353

Name of the Vulnerable Software and Affected Versions AIOHTTP versions 3.13.2 and below Description AIOHTTP, an asynchronous HTTP client/server framework for asyncio and Python, is susceptible to a denial-of-service DoS attack. When optimizations are enabled using -O or PYTHONOPTIMIZE=1, and an...

PT-2026-25167

Name of the Vulnerable Software and Affected Versions systemd affected versions not specified Description The systemd-machined service has an issue with access control due to inadequate validation of the class parameter within the RegisterMachine D-Bus method. A local user with limited privileges...

PT-2026-29246

Name of the Vulnerable Software and Affected Versions DNSdist affected versions not specified Description An attacker could trigger an out-of-bounds write by sending crafted DNS responses to DNSdist. This is possible when utilizing the DNSQuestion:changeName or DNSResponse:changeName methods with...

Training-Free Color-Aware Adversarial Diffusion Sanitization for Diffusion Stegomalware Defense at Security Gateways

The rapid expansion of generative AI has normalized large-scale synthetic media creation, enabling new forms of covert communication. Recent generative steganography methods, particularly those based on diffusion models, can embed high-capacity payloads without fine-tuning or auxiliary decoders,...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992571)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992571 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in acpidscallcontrolmethod A use-after-free in acpipsparseaml after a...

Unity Linux 20.1060e / 20.1070e Security Update: kernel (UTSA-2025-992197)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-992197 advisory. In the Linux kernel, the following vulnerability has been resolved: ACPICA: Fix error code path in acpidscallcontrolmethod A use-after-free in acpipsparseaml after a...

CVE-2025-15152

A vulnerability was identified in h-moses moga-mall up to 392d631a5ef15962a9bddeeb9f1269b9085473fa. This vulnerability affects the function addProduct of the file src/main/java/com/ms/product/controller/PmsProductController.java. Such manipulation of the argument objectName leads to unrestricted...

CVE-2025-15146 SohuTV CacheCloud UserManageController.java doUserList cross site scripting

A vulnerability was detected in SohuTV CacheCloud up to 3.2.0. This impacts the function doUserList of the file src/main/java/com/sohu/cache/web/controller/UserManageController.java. Performing manipulation results in cross site scripting. The attack may be initiated remotely. The exploit is now...

Kentico Xperience SQL Injection Vulnerability

Kentico Xperience is a digital experience platform from Kentico. Kentico Xperience suffers from a SQL injection vulnerability that stems from a lack of validation of externally entered SQL statements in the Online Marketing Macro Method parameter. An attacker can exploit this vulnerability to...

CVE-2025-68665 LangChain serialization injection vulnerability enables secret extraction

LangChain is a framework for building LLM-powered applications. Prior to @langchain/core versions 0.3.80 and 1.1.8, and prior to langchain versions 0.3.37 and 1.2.3, a serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using...

CVE-2025-13700 DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability

DreamFactory saveZipFile Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of DreamFactory. Authentication is required to exploit this vulnerability. The specific flaw exists within the...

GHSA-R399-636X-V7F6 LangChain serialization injection vulnerability enables secret extraction

Context A serialization injection vulnerability exists in LangChain JS's toJSON method and subsequently when string-ifying objects using JSON.stringify. The method did not escape objects with 'lc' keys when serializing free-form data in kwargs. The 'lc' key is used internally by LangChain to mark...

DreamFactory Core 操作系统命令注入漏洞

DreamFactory Core is an open source DreamFactory core service from DreamFactory Software. DreamFactory Core suffers from an operating system command injection vulnerability that stems from a lack of validation of user-supplied strings in the implementation of the saveZipFile method, which could...