CVE-2021-25157

A remote arbitrary file read vulnerability was discovered in some Aruba Instant Access Point IAP products in versions: Aruba Instant 6.4.x: 6.4.4.8-4.2.4.17 and below; Aruba Instant 6.5.x: 6.5.4.18 and below; Aruba Instant 8.3.x: 8.3.0.14 and below; Aruba Instant 8.5.x: 8.5.0.11 and below; Aruba...

CVE-2021-25167

A remote unauthorized access vulnerability was discovered in Aruba AirWave Management Platform versions prior to 8.2.12.1. Aruba has released patches for AirWave Management Platform that address this security vulnerability...

CVE-2021-32706

Pi-hole's Web interface provides a central location to manage a Pi-hole instance and review performance statistics. Prior to Pi-hole Web interface version 5.5.1, the validDomainWildcard pregmatch filter allows a malicious character through that can be used to execute code, list directories, and...

WordPress Coupons & Add to Cart by URL Links for WooCommerce plugin <= 1.7.7 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by muhammad yudha in WordPress Plugin Coupons & Add to Cart by URL Links for WooCommerce versions = 1.7.7...

GHSA-W9HF-35Q4-VCJW nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. Details Due to misuse of the Go net/http library, nosurf...

CVE-2025-46721 nosurf vulnerable to CSRF due to non-functional same-origin request checks

nosurf is cross-site request forgery CSRF protection middleware for Go. A vulnerability in versions prior to 1.2.0 allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass CSRF checks and issue requests on user's behal...

CVE-2025-30159

CVE-2025-30159 affects Kirby CMS versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 when using the dynamic snippet name via the snippet() helper or $kirby-&gt;snippet() . The root cause is a missing path traversal check that could allow an attacker to access files outside the snippets root (or Kirby ...

CVE-2025-30147

Besu Native contains scripts and tooling that is used to build and package the native libraries used by the Ethereum client Hyperledger Besu. Besu 24.7.1 through 25.2.2, corresponding to besu-native versions 0.9.0 through 1.2.1, have a potential consensus bug for the precompiles ALTBN128ADD 0x06,...

Azure Linux 3.0 Security Update: kernel (CVE-2025-21928)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2025-21928 advisory. - In the Linux kernel, the following vulnerability has been resolved: HID: intel-ish-hid: Fix use-after-free...

CVE-2025-32974

Summary of CVE-2025-32974 (XWiki platform): The issue arises in XWiki versions 15.9-rc-1 to 15.10.7, and 16.0.0-rc-1 to 16.1.x, where the required rights analysis does not consider TextAreas with the default content type. When editing a page, a malicious script could be injected and executed afte...

CVE-2025-46552 KHC-INVITATION-AUTOMATION Sensitive User Information Leakage in Invitation Automation

KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses...

CVE-2025-0926

Gee-netics, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for a non-admin user to remove system files causing a boot loop by redirecting a file deletion when recording video. Axis has released a patched version for the highlighted flaw. Please refer to the Ax...

Apple patches security vulnerabilities in iOS and iPadOS. Update now!

Apple has released a security update for iOS and iPadOS to patch two zero-day vulnerabilities which are reported to already have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS. Both vulnerabilities allowed an attacker to bypass the memory...

WordPress One Click Accessibility plugin <= 3.1.0 - Cross-Site Scripting (XSS) vulnerability

Cross-Site Scripting XSS vulnerability discovered by Ayato Shitomi @ Fore-Z co.ltd in WordPress Plugin Ally versions = 3.1.0...

CVE-2025-31492 mod_auth_openidc allows OIDCProviderAuthRequestMethod POSTs to leak protected data

modauthopenidc is an OpenID Certified authentication and authorization module for the Apache 2.x HTTP server that implements the OpenID Connect Relying Party functionality. Prior to 2.4.16.11, a bug in a modauthopenidc results in disclosure of protected content to unauthenticated users. The...

April Security Advisory Ivanti Connect Secure, Policy Secure & ZTA Gateways (CVE-2025-22457)

This advisory has been updated to make it clear the vulnerability was fully patched in Ivanti Connect Secure released February 11, 2025. Update April 23, 2025: This advisory has been updated to reflect changes to the Ivanti Policy Secure Versioning and the affected release date. Update May 14,...

Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

Impact We received a report about a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an incoming Request by putting a URL pathname in the port section of a URL...

CVE-2025-31137

Summary: A Host/X-Forwarded-Host header manipulation vulnerability in Remix/React Router affects Remix 2 and React Router 7 users using the Express adapter. An attacker can spoof the incoming Request URL by placing a pathname in the URL’s port section of a header-hosted URL, potentially altering ...

Vulnerability fixed in Google Chrome

Google has fixed a vulnerability in Chrome. A malicious party can exploit the vulnerability by convincing a victim to open a rogue link. In this way, the sandbox security of the Chrome browser can be bypassed. Combined with a currently unknown vulnerability, this could lead to the execution of...

Exploit for SQL Injection in Epicor Human_Capital_Management

CVE-2025-22953 – Epicor HCM Unauthenticated Blind SQL Injecti...