CVE-2025-48949

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48949 Navidrome allows SQL Injection via role parameter

Navidrome is an open source web-based music collection server and streamer. Versions 0.55.0 through 0.55.2 have a vulnerability due to improper input validation on the role parameter within the API endpoint /api/artist. Attackers can exploit this flaw to inject arbitrary SQL queries, potentially...

CVE-2025-48946 liboqs affected by theoretical design flaw in HQC

liboqs is a C-language cryptographic library that provides implementations of post-quantum cryptography algorithms. liboqs prior to version 0.13.0 supports the HQC algorithm, an algorithm with a theoretical design flaw which leads to large numbers of malformed ciphertexts sharing the same implici...

CVE-2025-48887

vLLM, an inference and serving engine for large language models LLMs, has a Regular Expression Denial of Service ReDoS vulnerability in the file vllm/entrypoints/openai/toolparsers/pythonictoolparser.py of versions 0.6.4 up to but excluding 0.9.0. The root cause is the use of a highly complex and...

WordPress Min Max Step Quantity Limits Manager for WooCommerce plugin <= 5.0.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin Min Max Step Quantity Limits Manager for WooCommerce versions = 5.0.3...

WordPress Number of Products per Page – Pagination Manager for WooCommerce plugin <= 2.4.0 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by muhammad yudha Patchstack Alliance in WordPress Plugin Number of Products per Page Pagination Manager for WooCommerce versions = 2.4.0...

Security Bulletin: IBM Maximo Application Suite Predict Component : Flask is a web server gateway interface (WSGI) web application framework. In Flask 3.1.0, the way fallback key configuration was handled resulted in the last fallback key being used.

Summary Security Bulletin: IBM Maximo Application Suite Predict Component Component uses Flask is a web server gateway interface WSGI web application framework. In Flask 3.1.0.This bulletin contains information regarding the vulnerability and its fixture. Vulnerability Details CVEID:CVE-2025-4727...

CVE-2025-48485

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting XSS attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer...

WordPress Simple Page Access Restriction plugin <= 1.0.31 - Cross-Site Request Forgery via Multiple Parameters vulnerability

Cross-Site Request Forgery via Multiple Parameters vulnerability discovered by Jonas Benjamin Friedli in WordPress Plugin Simple Page Access Restriction versions = 1.0.31...

CVE-2025-48479 FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the laravel-translation-manager package does not correctly validate user input, enabling the deletion of any directory, given sufficient access rights. This issue has been patched in version 1.8.180...

WordPress Minimal Share Buttons plugin <= 1.7.3 - Authenticated (Contributor+) Stored Cross-Site Scripting via align Parameter vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via align Parameter vulnerability discovered by Peter Thaleikis in WordPress Plugin Minimal Share Buttons versions = 1.7.3...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to to a denial of service due to Netty in IBM WebSphere Application Server Liberty CVE-2025-25193

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to to a denial of service due to Netty in IBM WebSphere Application Server Liberty CVE-2025-25193. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2025-25193...

CVE-2025-22872 affecting package kubevirt for versions less than 1.2.0-17

CVE-2025-22872 affecting package kubevirt for versions less than 1.2.0-17. A patched version of the package is available...

CVE-2024-4603 affecting package edk2 for versions less than 20240524git3e722403cd16-8

CVE-2024-4603 affecting package edk2 for versions less than 20240524git3e722403cd16-8. A patched version of the package is available...

CVE-2025-5257

SummaryThis advisory addresses a security vulnerability in Mautic where unpublished page previews could be accessed by unauthenticated users and potentially indexed by search engines. This could lead to the unintended disclosure of draft content or sensitive information. Unauthorized Access to...

Valtimo backend libraries allows objects in the object-api to be accessed and modified by unauthorized users

Impact All objects for which an object-management configuration exists can be listed, viewed, edited, created or deleted by unauthorised users. If object-urls are exposed via other channels, the contents of these objects can be viewed independent of object-management configurations. Attack...

PT-2025-23079 · Unknown · Campcodes Online Hospital Management System

Name of the Vulnerable Software and Affected Versions: Campcodes Online Hospital Management System version 1.0 Description: A critical issue was found in the system. The problem is related to an unknown function of the file /admin/betweendates-detailsreports.php. The manipulation of the fromdate...

CVE-2025-3704

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DBAR Productions Volunteer Sign Up Sheets pta-volunteer-sign-up-sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a through 5.5.5...

radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpect...

CVE-2025-3704 WordPress Volunteer Sign Up Sheets plugin < 5.5.5 - Cross Site Scripting (XSS) vulnerability

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DBAR Productions Volunteer Sign Up Sheets pta-volunteer-sign-up-sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a through 5.5.5...