GHSA-7W8P-CHXQ-2789 Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export...

Deno.env.toObject() ignores the variables listed in --deny-env and returns all environment variables

Summary The Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false impression that variables listed in the option are impossible to read. PoC export...

CVE-2025-48934

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Prior to versions 2.1.13 and 2.2.13, the Deno.env.toObject method ignores any variables listed in the --deny-env option of the deno run command. When looking at the documentation of the --deny-env option this might lead to a false...

CVE-2025-1701

CVE-2025-1701 affects MIM Admin Service prior to 7.2.13, 7.3.8, or 7.4.3. The issue allows a local attacker with access to the RMI interface (bound to 127.0.0.1) to send a specially crafted request and execute arbitrary code with the privileges of the MIM Admin service. The RMI surface is locally...

Exposed Dangerous Method or Function

Overview org.webjars.npm:webpack-dev-server is an Uses webpack with a development server that provides live reloading. It should be used for development only. Affected versions of this package are vulnerable to Exposed Dangerous Method or Function via the webpackmodules object. An attacker can...

ALPINE-CVE-2025-4517

Allows arbitrary filesystem writes outside the extraction directory during extraction with filter="data". You are affected by this vulnerability if using the tarfile module to extract untrusted tar archives using TarFile.extractall or TarFile.extract using the filter= parameter with a value of...

Keyed Chaotic Dynamics for Privacy-Preserving Neural Inference

Neural network inference typically operates on raw input data, increasing the risk of exposure during preprocessing and inference. Moreover, neural architectures lack efficient built-in mechanisms for directly authenticating input data. This work introduces a novel encryption method for ensuring...

PT-2025-23513 · Electron +2 · Electron +2

Name of the Vulnerable Software and Affected Versions: Dot versions 0.9.3 and earlier Description: The issue allows for XSS and resultant command execution. This is because user input and LLM output are appended to the DOM with innerHTML, specifically in render.js. Additionally, the Electron wind...

SUSE CVE-2025-48371

OpenFGA is an authorization/permission engine. OpenFGA versions 1.8.0 through 1.8.12 corresponding to Helm chart openfga-0.2.16 through openfga-0.2.30 and docker 1.8.0 through 1.8.12 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Users are affected...

SafeGenes: Evaluating the Adversarial Robustness of Genomic Foundation Models

Genomic Foundation Models GFMs, such as Evolutionary Scale Modeling ESM, have demonstrated significant success in variant effect prediction. However, their adversarial robustness remains largely unexplored. To address this gap, we propose SafeGenes: a framework for Secure analysis of genomic...

Trust Boundary Violation

Overview Affected versions of this package are vulnerable to Trust Boundary Violation due to the Browse method using URLs provided through API responses from authenticated GitHub hosts when users execute gh commands. An attacker in control of a malicious GitHub server can execute arbitrary comman...

Trust Boundary Violation

Overview Affected versions of this package are vulnerable to Trust Boundary Violation due to the Browse method using URLs provided through API responses from authenticated GitHub hosts when users execute gh commands. An attacker in control of a malicious GitHub server can execute arbitrary comman...

FreeScout 安全漏洞

FreeScout is an ultra-lightweight free open source helpdesk and shared inbox built using PHP Laravel framework by FreeScout. FreeScout suffers from an information disclosure vulnerability that is caused by a logic flaw in the fill method. An attacker could exploit the vulnerability to obtain...

PT-2025-24602 · Crates.Io · Arrow2

Rows::row unchecked allows out of bounds access to the underlying buffer without sufficient checks. The arrow2 crate is no longer maintained, so there are no plans to fix this issue. Users are advised to migrate to the arrow crate, instead...

Practical Bayes-Optimal Membership Inference Attacks

We develop practical and theoretically grounded membership inference attacks MIAs against both independent and identically distributed i.i.d. data and graph-structured data. Building on the Bayesian decision-theoretic framework of Sablayrolles et al., we derive the Bayes-optimal membership...

The vulnerability of the GetTraces method in the software for managing and monitoring remote devices in telemetry and telemechanics systems allows a hacker to bypass security restrictions, read and write arbitrary files, and execute arbitrary code.

The vulnerability of the GetTraces method in software for managing and monitoring remote devices in telemetry and telemechanics systems related to the lack of security measures for the SQL query structure. Exploiting this vulnerability allows a malicious actor to bypass security restrictions, rea...

SUSE CVE-2025-26803

The http parser in Phusion Passenger 6.0.21 through 6.0.25 before 6.0.26 allows a denial of service during parsing of a request with an invalid HTTP method...

Exploit for Exposure of Sensitive Information to an Unauthorized Actor in Microsoft

CVE-2025-24071 PoC SMB + TAR Extraction Method This is a Po...

ColorGo: Directed Concolic Execution

Whitepaper called ColorGo: Directed Concolic Execution...

EUVD-2025-28267

vBulletin 5.0.0 through 5.7.5 and 6.0.0 through 6.0.3 allows unauthenticated users to invoke protected API controllers' methods when running on PHP 8.1 or later, as demonstrated by the /api.php?method=protectedMethod pattern, as exploited in the wild in May 2025...