GHSA-3VCG-J39X-CWFM Vyper's `slice()` may elide side-effects when output length is 0

Impact the slice builtin can elide side effects when the output length is 0, and the source bytestring is a builtin msg.data or .code. the reason is that for these source locations, the check that length = 1 is skipped:...

WordPress Tainacan plugin <= 0.21.14 - Arbitrary File Deletion vulnerability

Arbitrary File Deletion vulnerability discovered by astra.r3verii in WordPress Plugin Tainacan versions = 0.21.14...

WordPress STAGGS plugin <= 2.11.0 - Arbitrary File Upload Vulnerability

Arbitrary File Upload Vulnerability discovered by astra.r3verii in WordPress Plugin STAGGS versions = 2.11.0...

CVE-2025-47275

Auth0-PHP provides the PHP SDK for Auth0 Authentication and Management APIs. Starting in version 8.0.0-BETA1 and prior to version 8.14.0, session cookies of applications using the Auth0-PHP SDK configured with CookieStore have authentication tags that can be brute forced, which may result in...

WordPress Posts per Cat plugin <= 1.4.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Posts per Cat versions = 1.4.2...

WordPress Drag and Drop File Upload for Elementor Forms plugin <= 1.4.3 - Arbitrary File Deletion Vulnerability

Arbitrary File Deletion Vulnerability discovered by 0xd4rk5id3 in WordPress Plugin Drag and Drop File Upload for Elementor Forms versions = 1.4.3...

undici Denial of Service attack via bad certificate data

Impact Applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, then they can cause a memory leak. Patches This has been patched in...

AZL-61888 CVE-2025-46836 affecting package net-tools for versions less than 2.10-4

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities like ifconfig from the net-tools package do not properly validate the structure of /proc files when...

CVE-2025-47783

Label Studio is a multi-type data labeling and annotation tool. A vulnerability in versions prior to 1.18.0 allows an attacker to inject a malicious script into the context of a web page, which can lead to data theft, session hijacking, unauthorized actions on behalf of the user, and other attack...

CVE-2025-46836

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities like ifconfig from the net-tools package do not properly validate the structure of /proc files when...

CVE-2025-46836

CVE-2025-46836 affects the net-tools package (e.g., ifconfig) up to version 2.10. The root cause is a bounds-check failure in get_name() in interface.c, which copies interface labels from /proc/net/dev into a fixed 16-byte stack buffer without validation. This can lead to a local arbitrary-code e...

CVE-2025-46836 net-tools Stack-based Buffer Overflow vulnerability

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities like ifconfig from the net-tools package do not properly validate the structure of /proc files when...

nosurf vulnerable to CSRF due to non-functional same-origin request checks

Impact This vulnerability allows an attacker who controls content on the target site, or on a subdomain of the target site either via XSS, or otherwise to bypass Cross-Site Request Forgery checks and issue requests on user's behalf. Details Due to misuse of the Go net/http library, nosurf...

Alibaba Cloud Linux 3 : 0011: vim (ALINUX3-SA-2022:0011)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2022:0011 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2021-3872: vim is vulnerable to...

Alibaba Cloud Linux 3 : 0114: shim (ALINUX3-SA-2024:0114)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2024:0114 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-40546: A flaw was found in Shim...

Alibaba Cloud Linux 3 : 0049: cups (ALINUX3-SA-2024:0049)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by multiple vulnerabilities as referenced in the ALINUX3-SA-2024:0049 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2023-32324: OpenPrinting CUPS is an op...

Alibaba Cloud Linux 3 : 0056: expat (ALINUX3-SA-2025:0056)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2025:0056 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2024-8176: A stack overflow vulnerability exist...

Alibaba Cloud Linux 3 : 0055: mod_auth_openidc:2.3 (ALINUX3-SA-2025:0055)

The remote Alibaba Cloud Linux 3 host has packages installed that are affected by a vulnerability as referenced in the ALINUX3-SA-2025:0055 advisory. Package updates are available for Alibaba Cloud Linux 3 that fix the following vulnerabilities: CVE-2025-31492: modauthopenidc is an OpenID Certifi...

WordPress Latepoint plugin <= 5.1.92 - Unauthenticated Insecure Direct Object Reference vulnerability

Unauthenticated Insecure Direct Object Reference vulnerability discovered by Martin Martin in WordPress Plugin LatePoint versions = 5.1.92...

WordPress Uncanny Automator plugin <= 6.4.0.1 - Authenticated (Subscriber+) PHP Object Injection in automator_api_decode_message Function vulnerability

Authenticated Subscriber+ PHP Object Injection in automatorapidecodemessage Function vulnerability discovered by mikemyers in WordPress Plugin Uncanny Automator versions = 6.4.0.1...