PYSEC-2025-202

PyTorch before 3.7.0 has a bernoullip decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d for fallbackrandom=True...

Improper Access Control

contao/contao is vulnerable to improper access control. The vulnerability is due to the table access voter in the back end not checking if a user is allowed to access the corresponding module, which allows an attacker to gain unauthorized access to restricted modules...

Multiple Node.js Modules compromised in supply chain attack to harvest credentials (Shai-Hulud) (11/25/2025)

The remote host has a version of one or more Node.js modules installed known to be compromised in a supply chain attack Shai-Hulud. The modules that are vulnerable are referenced here: - https://github.com/tenable/shai-hulud-second-coming-affected-packages/blob/main/list.md. A malicious update to...

CVE-2025-46153

PyTorch before 3.7.0 has a bernoullip decompose function in decompositions.py even though it lacks full consistency with the eager CPU implementation, negatively affecting nn.Dropout1d, nn.Dropout2d, and nn.Dropout3d for fallbackrandom=True...

PT-2025-39328

Name of the Vulnerable Software and Affected Versions web3-core-method versions 1.10.4 and earlier Description A Prototype Pollution issue exists in the attachToObject function of web3-core-method. Attackers can inject properties onto Object.prototype by providing a crafted payload. This can lead...

RHEL 8 : kpatch-patch-4_18_0-553_16_1, kpatch-patch-4_18_0-553_30_1, kpatch-patch-4_18_0-553_40_1, kpatch-patch-4_18_0-553_53_1, and kpatch-patch-4_18_0-553_72_1 (RHSA-2025:16582)

The remote Redhat Enterprise Linux 8 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:16582 advisory. This is a kernel live patch module which can be loaded by the kpatch command line utility to modify the code of a running kernel. This patc...

CVE-2025-59528

Flowise is a drag & drop user interface to build a customized large language model flow. In version 3.0.5, Flowise is vulnerable to remote code execution. The CustomMCP node allows users to input configuration settings for connecting to an external MCP server. This node parses the user-provided...

USN-7761-1: PAM vulnerability

It was discovered that the PAM pamaccess module incorrectly parsed certain rules as hostnames. An attacker could possibly use this issue to spoof hostnames and bypass access restrictions...

nightmare

This repository is an introduction to binary exploitation and reverse engineering course based on CTF challenges, called "Nightmare". It contains a large amount of content, with over 90 challenges, laid out in a linear fashion, and well-documented write-ups explaining how to go from being handed...

Exploit for Cross-site Scripting in Exclusiveaddons Exclusive_Addons_For_Elementor

Cookiecutter POC Template A minimal Python cookiecutter templ...

CVE-2025-10673

A vulnerability was determined in itsourcecode Student Information Management System 1.0. The impacted element is an unknown function of the file /admin/modules/class/index.php. This manipulation of the argument classId causes sql injection. The attack may be initiated remotely. The exploit has...

Metasploit Weekly Wrap-Up 09/19/2025

Consistently Persistent The Metasploit Framework has around 26 different modules which can be used to establish persistence on a target. Persistence modules help operators ensure they can maintain a consistent foothold within an environment once a target has been compromised and are quite helpful...

Multiple Node.js Modules compromised in supply chain attack to steal crypto (08/09/2025)

The remote host has a version of one or more Node.js modules installed known to be compromised in a supply chain attack. The following Node.js modules are known to be affected: 'backslash', 'chalk', 'debug', 'chalk-template', 'supports-hyperlinks', 'has-ansi', 'simple-swizzle', 'color-string',...

CVE-2025-10673

A vulnerability was determined in itsourcecode Student Information Management System 1.0. The impacted element is an unknown function of the file /admin/modules/class/index.php. This manipulation of the argument classId causes sql injection. The attack may be initiated remotely. The exploit has...

CVE-2025-10673 itsourcecode Student Information Management System index.php sql injection

A vulnerability was determined in itsourcecode Student Information Management System 1.0. The impacted element is an unknown function of the file /admin/modules/class/index.php. This manipulation of the argument classId causes sql injection. The attack may be initiated remotely. The exploit has...

[SECURITY] Fedora 42 Update: lemonldap-ng-2.21.3-1.fc42

LemonLdap::NG is a modular Web-SSO based on Apache::Session modules. It simplifies the build of a protected area with a few changes in the application. It manages both authentication and authorization and provides headers for accounting. So you can have a full AAA protection for your web space as...

itsourcecode Student Information Management System SQL注入漏洞

itsourcecode Student Information Management System is itsourcecode open source student information management system. Itsourcecode Student Information Management System version 1.0 has a SQL injection vulnerability, the vulnerability stems from the wrong operation of the parameter classId in the...

CVE-2025-8999

The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate...

SUSE-SU-2025:20750-1 Security update for pam

This update for pam fixes the following issues: - CVE-2024-10041: Fixed hashed password leak bsc1232234...

CVE-2025-8999 Sydney <= 2.56 - Missing Authorization to Authenticated (Subscriber+) Limited Theme Options Update

The Sydney theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'activatemodules' function in all versions up to, and including, 2.56. This makes it possible for authenticated attackers, with Subscriber-level access and above, to activate...