EUVD-2025-206093

RAGFlow is an open-source RAG Retrieval-Augmented Generation engine. In versions prior to 0.23.0, a low-privileged authenticated user normal login account can execute arbitrary system commands on the server host process via the frontend Canvas CodeExec component, completely bypassing sandbox...

CVE-2025-68431

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay. The function computes a negative row length likely from an unclipped overlay rectangle or...

CVE-2025-68431 libheif has Potential Heap Buffer Over-Read

libheif is an HEIF and AVIF file format decoder and encoder. Prior to version 1.21.0, a crafted HEIF that exercises the overlay image item path triggers a heap buffer over-read in HeifPixelImage::overlay. The function computes a negative row length likely from an unclipped overlay rectangle or...

Security Bulletin: IBM App Connect Enterprise Certified Container is vulnerable to denial of service and loss of confidentiality due to several findings in Golang binaries

Summary IBM App Connect Enterprise Certified Container contains several Golang-based binaries. IBM App Connect Enterprise Certified Container operator and operands are vulnerable to denial of service and loss of confidentiality. This bulletin provides patch information to address the reported...

CVE-2025-14908 JeecgBoot Multi-Tenant Management SysTenantController.java improper authentication

A security flaw has been discovered in JeecgBoot up to 3.9.0. The affected element is an unknown function of the file jeecg-boot/jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/SysTenantController.java of the component Multi-Tenant Management Module...

PT-2025-52408

Name of the Vulnerable Software and Affected Versions ABB T-MAC Plus version 4.0-24 Firebox affected versions not specified Description ABB T-MAC Plus is affected by improper neutralization of input during web page generation, which leads to cross-site scripting XSS, a condition where malicious...

PT-2025-52501

Name of the Vulnerable Software and Affected Versions floooh sokol versions prior to 33e2271c431bf21de001e972f72da17a984da932 Description A security flaw exists in floooh sokol. The issue resides in the sg pipeline common init function within the sokol gfx.h library, leading to a heap-based buffe...

Amazon S3 Encryption Client for .NET has a Key Commitment Issue

Summary S3 Encryption Client for .NET S3EC is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. When the encrypted data key EDK is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible...

EUVD-2025-204019

FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to version 3.20.0, a vulnerability exists in FreeRDP’s certificate handling code on Windows platforms. The function freerdpcertificatedatahash uses the Microsoft-specific snprintf function to format certificate cache filenames...

CVE-2025-67493

Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability could impact all instances using ldap...

CVE-2025-68115

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available ...

binutils: GNU Binutils Linker heap-based overflow

A head based buffer overflow flaw has been discovered in GNU bin utilities. The affected element is the function elfswapshdr in the library bfd/elfcode.h of the component Linker. The manipulation leads to heap-based buffer overflow. The attack must be carried out locally...

CVE-2025-64725 Weblate has improper validation upon invitation acceptance

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended...

PT-2025-51315

Name of the Vulnerable Software and Affected Versions Weblate versions prior to 5.15 Description Weblate is a web-based localization tool. Versions prior to 5.15 allowed accepting an invitation opened by a different user. Recommendations Update to version 5.15 or later. As a workaround, avoid...

GCVE-1-2025-0038

creationtimestamp| type| source ---|---|--- 2025-12-13 10:33:29+00:00| patched| https://github.com/MISP/MISP/releases/tag/v2.5.30 2025-12-13 10:39:06+00:00| patched| https://www.misp-project.org/2025/12/13/misp.2.5.29-2.5.30.released.html/...

NeuVector OpenID Connect is vulnerable to man-in-the-middle (MITM)

Impact NeuVector supports login authentication through OpenID Connect. However, the TLS verification which verifies the remote server's authenticity and integrity for OpenID Connect is not enforced by default. As a result this may expose the system to man-in-the-middle MITM attacks. Starting from...

CVE-2025-14116

A vulnerability was detected in xerrors Yuxi-Know up to 0.4.0. This vulnerability affects the function OtherEmbedding.aencode of the file /src/models/embed.py. Performing manipulation of the argument healthurl results in server-side request forgery. The attack can be initiated remotely. The explo...

GHSA-F4CF-9RVR-2RCX Zitadel Discloses the Total Number of Instance Users

Summary Zitadel's User Service discloses the total number of instance users to unauthorized users. Impact The ZITADEL User Service exposes the total number of users within an instance to any authenticated user, regardless of their specific permissions. While this does not leak individual user dat...

ZITADEL Vulnerable to Account Takeover via DOM-Based XSS in Zitadel V2 Login

Summary A potential vulnerability exists in ZITADEL's logout endpoint in login V2. This endpoint accepts serval parameters including a postlogoutredirect. When this parameter is specified, users will be redirected to the site that is provided via this parameter. ZITADEL's login UI did not ensure...

EUVD-2025-201703

In affected versions, vulnerability-lookup did not track or limit failed One-Time Password OTP attempts during Two-Factor Authentication 2FA verification. An attacker who already knew or guessed a valid username and password could submit an arbitrary number of OTP codes without causing the accoun...