CVE-2025-59140 [email protected] contains malware after npm account takeover

backlash parses collected strings with escapes. On 8 September 2025, the npm publishing account for backslash was taken over after a phishing attack. Version 0.2.1 was published, functionally identical to the previous patch version, but with a malware payload added attempting to redirect...

SurrealDB is Vulnerable to Unauthorized Data Exposure via LIVE Query Subscriptions

LIVE SELECT statements are used to capture changes to data within a table in real time. Documents included in WHERE conditions and DELETE notifications were not properly reduced to respect the querying user's security context. Instead the leaked documents reflect the context of the user triggerin...

OESA-2025-2144 postgresql security update

PostgreSQL is an advanced Object-Relational database management system DBMS. The base postgresql package contains the client programs that you'll need to access a PostgreSQL DBMS server, as well as HTML documentation for the whole system. These client programs can be located on the same machine a...

VulnCheck KEV: CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent...

Linux Distros Unpatched Vulnerability : CVE-2023-28632

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GLPI is a free asset and IT management software package. Starting in version 0.83 and prior to versions 9.5.13 and 10.0.7, an authenticated user can modify emai...

Linux Distros Unpatched Vulnerability : CVE-2025-55193

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be...

CVE-2025-58059 Valtimo scripting engine can be used to gain access to sensitive data or resources

Valtimo is a platform for Business Process Automation. In versions before 12.16.0.RELEASE, and from 13.0.0.RELEASE to before 13.1.2.RELEASE, any admin that can create or modify and execute process-definitions could gain access to sensitive data or resources. This includes but is not limited to:...

CVE-2025-58049

CVE-2025-58049 affects XWiki Platform components where PDF export jobs serialize request context, including cookies, into job status files. The root cause is unencrypted storage of user cookies (potentially exposing credentials) in the permanent data directory after a PDF export completes. Affect...

CVE-2025-57819 FreePBX Affected by Authentication Bypass Leading to SQL Injection and RCE

FreePBX is an open-source web-based graphical user interface. FreePBX 15, 16, and 17 endpoints are vulnerable due to insufficiently sanitized user-supplied data allowing unauthenticated access to FreePBX Administrator leading to arbitrary database manipulation and remote code execution. This issu...

Linux Distros Unpatched Vulnerability : CVE-2022-3030

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An improper access control issue in GitLab CE/EE affecting all versions starting before 15.1.6, all versions from 15.2 before 15.2.4, all versions from 15.3...

Linux Distros Unpatched Vulnerability : CVE-2022-2227

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Improper access control in the runner jobs API in GitLab CE/EE affecting all versions prior to 14.10.5, 15.0 prior to 15.0.4, and 15.1 prior to 15.1.1 allows a...

CVE-2025-54370

CVE-2025-54370 affects PhpSpreadsheet. The SSRF vulnerability resides in PhpOffice\PhpSpreadsheet\Worksheet\Drawing::setPath, where a user-supplied string read by the HTML reader can cause server-side requests. Affected versions include prior to 1.30.0, 2.1.12, 2.4.0, 3.10.0, and 5.0.0; patches a...

Linux Distros Unpatched Vulnerability : CVE-2017-16239

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In OpenStack Nova through 14.0.9, 15.x through 15.0.7, and 16.x through 16.0.2, by rebuilding an instance, an authenticated user may be able to circumvent the...

Default Credentials in nginx-defender Configuration Files

Impact This is a configuration vulnerability affecting nginx-defender deployments. Example configuration files config.yaml, docker-compose.yml contain default credentials defaultpassword: "changemeplease", GFSECURITYADMINPASSWORD=admin123. If users deploy nginx-defender without changing these...

Linux Distros Unpatched Vulnerability : CVE-2024-24821

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Composer is a dependency Manager for the PHP language. In affected versions several files within the local working directory are included during the invocation ...

Linux Distros Unpatched Vulnerability : CVE-2025-25292

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ruby-saml provides security assertion markup language SAML single sign-on SSO for Ruby. An authentication bypass vulnerability was found in ruby-saml prior to...

Amazon Linux 2023 : vim-common, vim-data, vim-default-editor (ALAS2023-2025-1138)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1138 advisory. Vim is an open source, command line text editor. Prior to version 9.1.1552, a path traversal issue in Vim's tar.vim plugin can allow overwriting of arbitrary files when opening specially craft...

SUSE CVE-2025-55193

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in...

DEBIAN-CVE-2025-55193

Active Record connects classes to relational database tables. Prior to versions 7.1.5.2, 7.2.2.2, and 8.0.2.1, the ID passed to find or similar methods may be logged without escaping. If this is directly to the terminal it may include unescaped ANSI sequences. This issue has been patched in...

CVE-2025-55193

CVE-2025-55193 affects Rails Active Record: the ID passed to find-like methods may be logged unescaped, potentially injecting unescaped ANSI sequences if logged to a terminal. The issue is fixed in Rails versions 7.1.5.2, 7.2.2.2, and 8.0.2.1. Public advisories in Debian (DSA-6090) and Fedora/Ope...