CVE-2025-32961

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32961 CUBA JPA Web API Vulnerable to Cross-Site Scripting (XSS) in the /download Endpoint

The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name...

CVE-2025-32963

MinIO Operator STS (Kubernetes IAM) flaw: before v7.1.0, the spec.audiences default could be the Kubernetes API server, allowing replay to internal systems. Root cause: unscoped audiences enable trust beyond intended scope. Impact: tokens could be replayed to other components; mitigated only by p...

CVE-2025-32955 Harden-Runner Evasion of 'disable-sudo' policy

Harden-Runner is a CI/CD security agent that works like an EDR for GitHub Actions runners. Versions from 0.12.0 to before 2.12.0 are vulnerable to disable-sudo bypass. Harden-Runner includes a policy option disable-sudo to prevent the GitHub Actions runner user from using sudo. This is implemente...

CVE-2025-32442 Fastify vulnerable to invalid content-type parsing, which could lead to validation bypass

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

CVE-2025-32442

The CVE-2025-32442 issue affects Fastify (Node.js) where applications that specify different validation strategies for multiple content types can bypass validation by supplying a slightly altered Content-Type (e.g., different casing or whitespace before ";"). Affected versions include Fastify 5.0...

CVE-2025-32389

CVE-2025-32389 concerns NamelessMC prior to 2.1.4, where an SQL injection could be triggered by the square bracket GET parameter syntax (e.g., ?param[0]=a&param[1]=b&param[2]=c). The underlying issue is PHP parsing $_GET['param'] as an array when square-bracket syntax is used, enabling injection ...

CVE-2025-31118

CVE-2025-31118 (NamelessMC) affects NamelessMC up to version 2.1.4. The forum quick reply feature (view_topic.php) lacks spam prevention, allowing authenticated users to post replies without time restrictions, causing a surge that can disrupt operations. A fix is available in version 2.2.0. Remed...

CVE-2025-31118 NamelessMC Has Forum Reply Submission Time Limit Bypass

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature viewtopic.php does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction,...

CVE-2025-30357 NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator...

CVE-2025-30357 NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator...

CVE-2025-30158 NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attributes. This allows an authenticated attacker ...

CVE-2025-31499

Jellyfin is an open source self hosted media server. Versions before 10.10.7 are vulnerable to argument injection in FFmpeg. This can be leveraged to possibly achieve remote code execution by anyone with credentials to a low-privileged user. This vulnerability was previously reported in...

WordPress Listdom plugin <= 4.0.0 - Open Redirection Vulnerability

Open Redirection Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin Listdom versions = 4.0.0...

CVE-2025-32012

Summary: CVE-2025-32012 affects Jellyfin versions 10.9.0 through 10.10.6, where the "/System/Restart" admin endpoint can be spoofed to restart the server by unauthenticated attackers on the same LAN, due to how the source IP is determined. Impact: Unauthenticated DoS against default-configured Je...

CVE-2025-31497 TEIGarage XML External Entity (XXE) Injection in Document Conversion Service

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity XXE Injection vulnerability in its document conversion functionality. The service processes XML...

CVE-2025-30206

Dpanel uses a hard-coded JWT secret in its default configuration, enabling attackers to forge valid tokens and bypass authentication, potentially gaining full control of the host. The GO-2025-3612 entry cites remote code execution as the outcome of this flaw in github.com/donknap/dpanel. The advi...

CVE-2025-32779

E.D.D.I (Enhanced Dialog Driven Interface) is vulnerable to a Zip Slip path traversal in the ZIP import path ( /backup/import ) prior to version 5.5.0, allowing an attacker to write arbitrary files outside the intended extraction directory and potentially overwrite application files (e.g., JARs) ...

CVE-2025-32776

OpenRazer is affected by CVE-2025-32776 where writing specially crafted data to /matrix_custom_frame can cause the kernel driver to read more bytes than provided by userspace, with the extra data ending up in RGB arguments sent to the USB device. This is an out-of-bounds read in the OpenRazer dri...

CVE-2025-2225

The Responsive Addons for Elementor – Free Elementor Addons Plugin and Elementor Templates plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘raeltitletag' parameter in all versions up to, and including, 1.6.9 due to insufficient input sanitization and output escaping. Thi...