CVE-2025-41232 CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: You are using @EnableMethodSecuritymode=ASPECTJ and spring-security-aspects, and You have...

CVE-2025-41232

CVE-2025-41232 affects multiple IBM and Spring-based products where Spring Security Aspects may fail to locate method security annotations on private methods, enabling potential authorization bypass when using @EnableMethodSecurity(mode=ASPECTJ) with spring-security-aspects and private annotated ...

CVE-2025-41232 CVE-2025-41232: Spring Security authorization bypass for method security annotations on private methods

Spring Security Aspects may not correctly locate method security annotations on private methods. This can cause an authorization bypass. Your application may be affected by this if the following are true: You are using @EnableMethodSecuritymode=ASPECTJ and spring-security-aspects, and You have...

BIT-NODE-2025-23166

The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...

BIT-NODE-MIN-2025-23166

The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...

CVE-2025-37960 memblock: Accept allocated memory before use in memblock_double_array()

In the Linux kernel, the following vulnerability has been resolved: memblock: Accept allocated memory before use in memblockdoublearray When increasing the array size in memblockdoublearray and the slab is not yet available, a call to memblockfindinrange is used to reserve/allocate memory. Howeve...

GHSA-5RJG-FVGR-3XXF setuptools has a path traversal vulnerability in PackageIndex.download that leads to Arbitrary File Write

Summary A path traversal vulnerability in PackageIndex was fixed in setuptools version 78.1.1 Details def downloadurlself, url, tmpdir: Determine download filename name, fragment = egginfoforurlurl if name: while '..' in name: name = name.replace'..', '.'.replace'\', '' else: name = "downloaded"...

CVE-2025-23166

The C++ method SignTraits::DeriveBits may incorrectly call ThrowException based on user-supplied inputs when executing in a background thread, crashing the Node.js process. Such cryptographic operations are commonly applied to untrusted inputs. Thus, this mechanism potentially allows an adversary...

CVE-2025-23166

The CVE-2025-23166 issue affects Node.js and stems from SignTraits::DeriveBits() potentially calling ThrowException() with user-controlled inputs when run in a background thread, leading to a crash of the Node.js runtime. Public advisories in the Connected documents confirm affected packages (e.g...

PT-2025-22336 · Spring · Spring Security Aspects

Name of the Vulnerable Software and Affected Versions: Spring Security Aspects affected versions not specified Description: The issue concerns Spring Security Aspects not correctly locating method security annotations on private methods, potentially causing an authorization bypass. This can affec...

Recommender Systems for Democracy: toward Adversarial Robustness in Voting Advice Applications

Voting advice applications VAAs help millions of voters understand which political parties or candidates best align with their views. This paper explores the potential risks these applications pose to the democratic process when targeted by adversarial entities. In particular, we expose 11...

Missing Authentication for Critical Function

Overview org.springframework.security:spring-security-core is a package that provides security services for the Spring IO Platform. Affected versions of this package are vulnerable to Missing Authentication for Critical Function due to improperly locating method security annotations on private...

GHSA-F6RX-HF55-4255 Sulu vulnerable to XXE in SVG File upload Inspector

Impact A admin user can upload SVG which may load external data via XML DOM library, specially this can be used for eventually reference none secure XML External Entity References. Patches The problem has not been patched yet. Users should upgrade to patched versions once they become available...

CVE-2025-4516

There is an issue in CPython when using bytes.decode"unicodeescape", error="ignore|replace". If you are not using the "unicodeescape" encoding or an error handler your usage is not affected. To work-around this issue you may stop using the error= handler and instead wrap the bytes.decode call in ...

DataSentinel: a Game-Theoretic Detection of Prompt Injection Attacks

LLM-integrated applications and agents are vulnerable to prompt injection attacks, where an attacker injects prompts into their inputs to induce attacker-desired outputs. A detection method aims to determine whether a given input is contaminated by an injected prompt. However, existing detection...

DRUPAL-CONTRIB-2025-063

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent the same TFA token within a 30 second window. This vulnerability is mitigated by the fact that an attacker must obtain a valid...

DRUPAL-CONTRIB-2025-062

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent TFA from being bypassed when using the REST login routes. A new requirements check has been added to the status report so other...

Malicious code in node-method-indicator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 60414121dfe5a164bd132ab93d581199d55ba6bff4e937c7b52ecf6ca5fa1e0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2025-3798 Malicious code in node-method-indicator (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 60414121dfe5a164bd132ab93d581199d55ba6bff4e937c7b52ecf6ca5fa1e0f Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

One Time Password - Moderately critical - Access bypass - SA-CONTRIB-2025-061

This module enables you to allow users to include a second authentication method in addition to password authentication. The module doesn't sufficiently prevent one time login links from bypassing TFA. This vulnerability is mitigated by the fact that an attacker must have access to an email accou...