Splunk Enterprise 9.2.0 < 9.2.10, 9.3.0 < 9.3.8, 9.4.0 < 9.4.6, 10.0 < 10.0.2 (SVD-2025-1204)

The version of Splunk installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the SVD-2025-1204 advisory. - In Splunk Enterprise versions below 10.0.2, 9.4.6, 9.3.8, and 9.2.10, and Splunk Cloud Platform versions below 10.1.2507.6,...

📄 Microsoft Windows 11 build 10.0.22631.6199 Dual-Path Privilege Escalation

Proof of concept exploit for a Microsoft Windows 11 build 10.0.22631.6199 dual-path elevation of privilege vulnerability in undocumented RPC and debugging objects...

Withdrawn Advisory: express improperly controls modification of query properties

Withdrawn Advisory This advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact. This link is maintained to preserve external references. Original Description Impact when using the extended query parser in express 'query parser': 'extended...

GHSA-PJ86-CFQH-VQX6 Withdrawn Advisory: express improperly controls modification of query properties

Withdrawn Advisory This advisory has been withdrawn because it describes a correctness bug, not a vulnerability with real security impact. This link is maintained to preserve external references. Original Description Impact when using the extended query parser in express 'query parser': 'extended...

CVE-2025-55074

Mattermost versions 10.11.x = 10.11.3, 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...

Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...

GHSA-93VM-MQPW-8WH3 Duplicate Advisory: Keycloak LDAP User Federation provider enables admin-triggered untrusted Java deserialization

Duplicate Advisory This advisory has been withdrawn because it is a duplicate of GHSA-4hx9-48xh-5mxr. This link is maintained to preserve external references. Original Description A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm...

GO-2025-4133 Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server

Mattermost allows other users to determine when users had read channels via channel member objects in github.com/mattermost/mattermost-server. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is...

CVE-2025-13467

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

org.keycloak.storage.ldap: Keycloak: Deserialization of Untrusted Data in LDAP User Federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

CVE-2025-13467 Org.keycloak.storage.ldap: keycloak: deserialization of untrusted data in ldap user federation

A flaw was found in the Keycloak LDAP User Federation provider. This vulnerability allows an authenticated realm administrator to trigger deserialization of untrusted Java objects via a malicious LDAP server configuration...

CVE-2025-13467

A CVE-2025-13467 issue affects Keycloak’s LDAP User Federation provider. An authenticated realm administrator can trigger deserialization of untrusted Java objects by feeding a malicious LDAP server configuration. Public documentation in connected advisories confirms this is an admin-triggered de...

PT-2025-48039

Name of the Vulnerable Software and Affected Versions Keycloak affected versions not specified Description A flaw exists in the Keycloak LDAP User Federation provider that allows an authenticated realm administrator to trigger deserialization of untrusted Java objects. This is achieved through a...

Red Hat build of Keycloak 安全漏洞

Red Hat build of Keycloak is a web application for single sign-on from Red Hat, Inc. A security vulnerability exists in Red Hat build of Keycloak version 26.2, which originates from deserializing untrusted Java objects and could lead to remote code execution...

ROS-20251125-12

Vulnerability of QuerySet and Q objects of Django web application development platform is related to failure to take measures to protect the SQL query structure when processing an argument with the connector keyword. Exploitation of the vulnerability could allow an attacker acting remotely to...

AI teddy bear for kids responds with sexual content and advice about weapons

In testing, FoloToy’s AI teddy bear jumped from friendly chat to sexual topics and unsafe household advice. It shows how easily artificial intelligence can cross serious boundaries. It’s a fair moment to ask whether AI-powered stuffed animals are appropriate for children. It’s easy to get swept u...

CouchAuth 安全漏洞

CouchAuth is a Perfood open source authentication API. A security vulnerability exists in CouchAuth version 0.21.2, which stems from session tokens and passwords being stored in JavaScript objects and not explicitly cleared, which could lead to sensitive data disclosure and session hijacking...

GHSA-9HH7-6558-QFP2 Mattermost allows other users to determine when users had read channels via channel member objects

Mattermost versions 10.11.x = 10.11.3, and 10.5.x = 10.5.11 fail to enforce access permissions on the Agents plugin which allows other users to determine when users had read channels via channel member objects...

EUVD-2025-198045

Mattermost allows other users to determine when users had read channels via channel member objects...