CVE-2025-8756 TDuckCloud tduck-platform manage preHandle improper authorization

A vulnerability has been found in TDuckCloud tduck-platform up to 5.1 and classified as critical. Affected by this vulnerability is the function preHandle of the file /manage/ of the component com.tduck.cloud.api.web.interceptor.AuthorizationInterceptor. The manipulation leads to improper...

CVE-2025-54999

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. In versions 0.1.0 through 2.3.1, when using OpenBao's userpass auth method, user enumeration was possible due to timing difference between non-existent users an...

Important: kernel

Issue Overview: In the Linux kernel, the following vulnerability has been resolved: net: tap: NULL pointer derefence in devparseheaderprotocol when skb-dev is null CVE-2022-50073 In the Linux kernel, the following vulnerability has been resolved: VMCI: check context-notifypage after call to...

Apache CXF: Untrusted JMS configuration can lead to RCE

If untrusted users are allowed to configure JMS for Apache CXF, previously they could use RMI or LDAP URLs, potentially leading to code execution capabilities. This interface is now restricted to reject those protocols, removing this possibility. Users are recommended to upgrade to versions 3.6.8...

SUSE CVE-2025-47907

Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with...

AZL-66153 CVE-2025-47907 affecting package golang for versions less than 1.24.6-1

Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with...

CVE-2025-47907

Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with...

CVE-2025-47907

Cancelling a query e.g. by cancelling the context passed to one of the query methods during a call to the Scan method of the returned Rows can result in unexpected results if other queries are being made in parallel. This can result in a race condition that may overwrite the expected results with...

PT-2025-32329

Name of the Vulnerable Software and Affected Versions Apache CXF versions prior to 3.6.8 Apache CXF versions prior to 4.0.9 Apache CXF versions prior to 4.1.3 Description If untrusted users are permitted to configure JMS Java Message Service for Apache CXF, they could use RMI Remote Method...

Linux Distros Unpatched Vulnerability : CVE-2022-45411

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Cross-Site Tracing occurs when a server will echo a request back via the Trace method, allowing an XSS attack to access to authorization headers and cookies...

HashiCorp Vault ldap auth method may not have correctly enforced MFA

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

(0Day) Microsoft SharePoint GetTransformer Unsafe Reflection Denial-of-Service Vulnerability

This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of Microsoft SharePoint. Authentication is required to exploit this vulnerability. The specific flaw exists within the implementation of the GetTransformer method. The issue results from t...

Linux Distros Unpatched Vulnerability : CVE-2025-21902

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: acpi: typec: ucsi: Introduce a -pollcci method For the ACPI backend of UCSI the UCSI registe...

CVE-2025-51857

The reconcile method in the AttachmentReconciler class of the Halo system v.2.20.18LTS and before is vulnerable to XSS attacks...

BIT-VAULT-2025-6037 Vault Certificate Auth Method Did Not Validate Common Name For Non-CA Certificates

Vault and Vault Enterprise “Vault” TLS certificate auth method did not correctly validate client certificates when configured with a non-CA certificate as +trusted certificate+|https://developer.hashicorp.com/vault/api-docs/auth/certcertificate. In this configuration, an attacker may be able to...

BIT-VAULT-2025-6004 Vault Userpass and LDAP User Lockout Bypass

Vault and Vault Enterprise’s “Vault” user lockout feature could be bypassed for Userpass and LDAP authentication methods. Fixed in Vault Community Edition 1.20.1 and Vault Enterprise 1.20.1, 1.19.7, 1.18.12, and 1.16.23...

Lightweight Fault Detection Architecture for NTT on FPGA

Post-Quantum Cryptographic PQC algorithms are mathematically secure and resistant to quantum attacks but can still leak sensitive information in hardware implementations due to natural faults or intentional fault injections. The intent fault injection in side-channel attacks reduces the reliabili...

CVE-2025-51857

The reconcile method in the AttachmentReconciler class of the Halo system v.2.20.18LTS and before is vulnerable to XSS attacks...

U.S. Dept Of Defense: Cross-Site Scripting via 'EVENT_DESCRIPTION' parameter

A Cross-Site Scripting XSS vulnerability was discovered in the POST method on the website, specifically through the EVENTDESCRIPTION parameter. Exploitation of this vulnerability could have led to severe consequences, including session hijacking. The vulnerability was caused by insufficient...

Directory Traversal

Overview Affected versions of this package are vulnerable to Directory Traversal via the unzipFile function in the client.go file, which uses filepath.JoindestDir, f.Name without validating or sanitizing f.Name. An attacker can overwrite arbitrary files on the system outside of the intended...