PT-2025-26220

Name of the Vulnerable Software and Affected Versions jq version 1.8.0 Description A heap use after free issue exists within the function f strflocaltime of /src/builtin.c. This is a problem in a command-line JSON processor. Recommendations For version 1.8.0, consider restricting access to the f...

WordPress FunnelKit Automations plugin <= 3.5.3 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation vulnerability

Missing Authorization to Unauthenticated Arbitrary Plugin Installation vulnerability discovered by mikemyers in WordPress Plugin FunnelKit Automations versions = 3.5.3...

WordPress Echo RSS Feed Post Generator Plugin for WordPress plugin <= 5.4.8.1 - Reflected Cross Site Scripting (XSS) vulnerability

Reflected Cross Site Scripting XSS vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Echo RSS Feed Post Generator Plugin for WordPress versions = 5.4.8.1...

CVE-2025-49149

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting XSS attack when a user...

CVE-2025-49149 Dify has XSS vulnerability

Dify is an open-source LLM app development platform. In version 1.2.0, there is insufficient filtering of user input by web applications. Attackers can use website vulnerabilities to inject malicious script code into web pages. This may result in a cross-site scripting XSS attack when a user...

WordPress Ivory Search plugin < 5.5.10 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by WPscan in WordPress Plugin Ivory Search versions 5.5.10...

WordPress StreamWeasels Kick Integration plugin <= 1.1.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via status-classic-offline-text Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via status-classic-offline-text Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin SW Kick Integration versions = 1.1.3...

WordPress Drag and Drop Multiple File Upload for Contact Form 7 plugin <= 1.3.8.9 - Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks vulnerability

Unauthenticated Arbitrary File Upload via Insufficient Blacklist Checks vulnerability discovered by mikemyers in WordPress Plugin Drag and Drop Multiple File Upload – Contact Form 7 versions = 1.3.8.9...

CVE-2025-6152 Steel Browser files.routes.ts handleFileUpload path traversal

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotel...

CVE-2025-6152 Steel Browser files.routes.ts handleFileUpload path traversal

A vulnerability, which was classified as critical, was found in Steel Browser up to 0.1.3. This affects the function handleFileUpload of the file api/src/modules/files/files.routes.ts. The manipulation of the argument filename leads to path traversal. It is possible to initiate the attack remotel...

Alibaba Cloud Linux 3 : 0089: mod_security (ALINUX3-SA-2025:0089)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2025:0089 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-47947: ModSecurity is an open source, cros...

PT-2025-25674 · Ovatheme · Ovatheme Events Manager

Name of the Vulnerable Software and Affected Versions: Ovatheme Events Manager versions 1.7.5 and earlier Description: The issue allows for the unrestricted upload of files with dangerous types, enabling the use of malicious files. Recommendations: For Ovatheme Events Manager versions 1.7.5 and...

CVE-2025-47951

Weblate (localization tool) prior to version 5.12 lacked rate limiting on the second-factor verification endpoint. This allowed an attacker with valid credentials to automate OTP guessing, potentially evading authentication controls. The vulnerability has been fixed in Weblate 5.12 (and patched i...

CVE-2025-32799 Conda-build Vulnerable to Path Traversal via Malicious Tar File

Conda-build contains commands and tools to build conda packages. Prior to version 25.4.0, the conda-build processing logic is vulnerable to path traversal Tarslip attacks due to improper sanitization of tar entry paths. Attackers can craft tar archives containing entries with directory traversal...

Astra Linux – Vulnerability in xz-utils

XZ Utils provides a general-purpose data-compression library along with command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, there is a bug in the multithreaded .xz decoder in liblzma: invalid inputs can potentially cause a crash. The effects of this bug include heap usage after deallocation, as...

WordPress WP Dummy Content Generator plugin <= 3.4.6 - Arbitrary User Deletion vulnerability

Arbitrary User Deletion vulnerability discovered by Mika in WordPress Plugin WP Dummy Content Generator versions = 3.4.6...

TencentOS Server 3: .NET 7.0 (TSSA-2024:0047)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0047 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...

TencentOS Server 3: mod_auth_openidc:2.3 (TSSA-2025:0320)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2025:0320 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

TencentOS Server 4: python-webob (TSSA-2024:1066)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:1066 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...

TencentOS Server 4: vim (TSSA-2024:0553)

The version of Tencent Linux installed on the remote TencentOS Server 4 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2024:0553 advisory. Package updates are available for TencentOS Server 4 that fix the following vulnerabilities:...