CVE-2025-29768

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim...

CVE-2025-29768 Vim vulnerable to potential data loss with zip.vim and special crafted zip files

Vim, a text editor, is vulnerable to potential data loss with zip.vim and special crafted zip files in versions prior to 9.1.1198. The impact is medium because a user must be made to view such an archive with Vim and then press 'x' on such a strange filename. The issue has been fixed as of Vim...

Out-of-bounds Read in Ruby JSON Parser

Impact A specially crafted document could cause an out of bound read, most likely resulting in a crash. Versions 2.10.0 and 2.10.1 are impacted. Older versions are not. Patches Version 2.10.2 fixes the problem. Workarounds None...

CVE-2025-27792

Opal CSRF protection bypass (CVE-2025-27792) affects Opal prior to v5.1.1. The issue arises because the referrer header can be dropped in CSRF requests (e.g., via ), bypassing server checks. A patch exists in version 5.1.1. Some sources indicate PoC exploitation is possible; CVSS details in the r...

CVE-2025-27101 Broken Access Control in Opal filesystem's copy functionality exposes all user data

Opal is OBiBa’s core database application for biobanks or epidemiological studies. Prior to version 5.1.1, when copying any parent directory to a folder in the /temp/ directory, all files in that parent directory are copied, including files which the user should not have access to. All users of t...

CVE-2024-13086 QTS, QuTS hero

An exposure of sensitive information vulnerability has been reported to affect product. If exploited, the vulnerability could allow remote attackers to compromise the security of the system. We have already fixed the vulnerability in the following version: QTS 5.2.0.2851 build 20240808 and later...

GHSA-VC29-VG52-6643 DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api

Impact What kind of vulnerability is it? Who is impacted? A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation 1.10.0-beta.1 a...

DoS Vulnerability in TraceContextPropagator.Extract - OpenTelemetry.Api

Impact What kind of vulnerability is it? Who is impacted? A vulnerability in OpenTelemetry.Api package 1.10.0 to 1.11.1 could cause a Denial of Service DoS when a tracestate and traceparent header is received. These versions are used in OpenTelemetry .NET Automatic Instrumentation 1.10.0-beta.1 a...

CVE-2025-27423

Vim is an open source, command line text editor. Vim is distributed with the tar.vim plugin, that allows easy editing and viewing of compressed or uncompressed tar files. Starting with 9.1.0858, the tar.vim plugin uses the ":read" ex command line to append below the cursor position, however the i...

CVE-2025-23046

GLPI CVE-2025-23046 affects versions 9.5.0 through 10.0.18 where a Mail servers authentication provider using an OAuth (OauthIMAP) connection allows a login using a username with an existing OAuth authorization. The root cause is an access control/authentication issue in the OAuth integration wit...

CVE-2025-23046 GLPI vulnerable to unauthorized authentication by email using the OAuthIMAP plugin

GLPI is a free asset and IT management software package. Starting in version 9.5.0 and prior to version 10.0.18, if a "Mail servers" authentication provider is configured to use an Oauth connection provided by the OauthIMAP plugin, anyone can connect to GLPI using a user name on which an Oauth...

CVE-2025-27140

WeGIA is a Web manager for charitable institutions. An OS Command Injection vulnerability was discovered in versions prior to 3.2.15 of the WeGIA application, importardump.php endpoint. This vulnerability could allow an attacker to execute arbitrary code remotely. The command is basically a comma...

CVE-2025-27133

WeGIA is a Web manager for charitable institutions. A SQL Injection vulnerability was discovered in the WeGIA application prior to version 3.2.15 at the adicionartipoexame.php endpoint. This vulnerability allows an authorized attacker to execute arbitrary SQL queries, allowing access to sensitive...

CVE-2025-27133

CVE-2025-27133 affects WeGIA (Web manager for charitable institutions) prior to version 3.2.15. A SQL injection vulnerability exists at the adicionar_tipo_exame.php endpoint, parameter tipo_exame, allowing an authorized attacker to execute arbitrary SQL queries and access sensitive information. T...

CVE-2025-27112 Navidrome has authentication bypass in Subsonic API with non-existent username

Navidrome is an open source web-based music collection server and streamer. Starting in version 0.52.0 and prior to version 0.54.5, in certain Subsonic API endpoints, a flaw in the authentication check process allows an attacker to specify any arbitrary username that does not exist on the system,...

CVE-2025-25286

CVE-2025-25286 affects Crayfish’s Homarus FFmpeg microservice. Prior to Crayfish 4.1.0, remote code execution could occur in web-accessible installations in certain configurations. The issue has been patched in islandora/crayfish:4.1.0. Workarounds include preventing Internet access to Homarus or...

CVE-2025-25283 parse-duraton vulnerable to Regex Denial of Service that results in event loop delay and out of memory

parse-duraton is software that allows users to convert a human readable duration to milliseconds. Versions prior to 2.1.3 are vulnerable to an event loop delay due to the CPU-bound operation of resolving the provided string, from a 0.5ms and up to 50ms per one operation, with a varying size from...

CVE-2025-25205 Remote Authentication-Bypass can lead to server crash or limited information disclosure due to faulty pattern matching

Audiobookshelf is a self-hosted audiobook and podcast server. Starting in version 2.17.0 and prior to version 2.19.1, a flaw in the authentication bypass logic allows unauthenticated requests to match certain unanchored regex patterns in the URL. Attackers can craft URLs containing substrings lik...

CVE-2025-25202 Ash Authentication has flawed token revocation checking logic in actions generated by `mix ash_authentication.install`

Ash Authentication is an authentication framework for Elixir applications. Applications which have been bootstrapped by the igniter installer present since AshAuthentication v4.1.0 and who have used the magic link strategy or are manually revoking tokens are affected by revoked tokens being allow...

CVE-2025-24970

Netty, an asynchronous, event-driven network application framework, has a vulnerability starting in version 4.1.91.Final and prior to version 4.1.118.Final. When a special crafted packet is received via SslHandler it doesn't correctly handle validation of such a packet in all cases which can lead...