Astra Linux – Vulnerability in Erlang

Erlang is a programming language and runtime system designed for building massively scalable, soft-real-time systems with high availability requirements. OTP is a set of Erlang libraries, which includes the Erlang runtime system and several ready-to-use components written in Erlang. The packet si...

CVE-2025-47778 Sulu vulnerable to XXE in SVG File upload Inspector

Sulu is an open-source PHP content management system based on the Symfony framework. Starting in versions 2.5.21, 2.6.5, and 3.0.0-alpha1, an admin user can upload SVG which may load external data via XML DOM library. This can be used for insecure XML External Entity References. The problem has...

GHSA-7C58-G782-9J38 Craft CMS Contains a Potential Remote Code Execution Vulnerability via Twig SSTI

Craft CMS contains a potential remote code execution vulnerability via Twig SSTI. You must have administrator access and ALLOWADMINCHANGES must be enabled for this to work. https://craftcms.com/knowledge-base/securing-craftset-allowAdminChanges-to-false-in-production Note: This is a follow-up to...

CVE-2025-32777

Volcano is a Kubernetes-native batch scheduling system. Prior to versions 1.11.2, 1.10.2, 1.9.1, 1.11.0-network-topology-preview.3, and 1.12.0-alpha.2, attacker compromise of either the Elastic service or the extender plugin can cause denial of service of the scheduler. This is a privilege...

CVE-2025-46554 XWiki missing authorization when accessing the wiki level attachments list and metadata via REST API

XWiki is a generic wiki platform. In versions starting from 1.8.1 to before 14.10.22, from 15.0-rc-1 to before 15.10.12, from 16.0.0-rc-1 to before 16.4.3, and from 16.5.0-rc-1 to before 16.7.0, anyone can access the metadata of any attachment in the wiki using the wiki attachment REST endpoint...

CVE-2025-46557 Any user with view access to the XWiki space can change the authenticator

XWiki is a generic wiki platform. In versions starting from 15.3-rc-1 to before 15.10.14, from 16.0.0-rc-1 to before 16.4.6, and from 16.5.0-rc-1 to before 16.10.0-rc-1, a user who can access pages located in the XWiki space by default, anyone can access the page XWiki.Authentication.Administrati...

CVE-2025-32974 org.xwiki.platform:xwiki-platform-security-requiredrights-default required rights analysis doesn't consider TextAreas with default content type

XWiki is a generic wiki platform. In versions starting from 15.9-rc-1 to before 15.10.8 and from 16.0.0-rc-1 to before 16.2.0, the required rights analysis doesn't consider TextAreas with default content type. When editing a page, XWiki warns since version 15.9 when there is content on the page...

org.xwiki.platform:xwiki-platform-component-wiki provides no warning when granting XWiki.ComponentClass programming right

Impact When a user with programming right edits a document in XWiki that was last edited by a user without programming right and contains an XWiki.ComponentClass, there is no warning that this will grant programming right to this object. An attacker who created such a malicious object could use...

CVE-2025-32433

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution RCE. By exploiting a flaw in SSH protocol message handling, a malicious actor...

GHSA-95FC-G4GJ-MQMX Steve doesn’t verify a server’s certificate and is susceptible to man-in-the-middle (MitM) attacks

Impact A vulnerability has been identified in Steve where by default it was using an insecure option that did not validate the certificate presented by the remote server while performing a TLS connection. This could allow the execution of a man-in-the-middle MitM attack against services using...

GHSA-G9JJ-75MX-WJCX org.xwiki.platform:xwiki-platform-oldcore allows SQL injection in short form select requests through the script query API

Impact It is possible for a user with SCRIPT right to escape from the HQL execution context and perform a blind SQL injection to execute arbitrary SQL statements on the database backend. Depending on the used database backend, the attacker may be able to not only obtain confidential information...

CVE-2025-32431

CVE-2025-32431 : Traefik is vulnerable when using path-based matchers (PathPrefix, Path, PathRegex). If a request URL contains a trailing path traversal like /../ in the path, an attacker can bypass middleware routing and target a backend exposed via another router. This affects older releases pr...

CVE-2025-32377

CVE-2025-32377 involves Rasa Pro voice connectors that fail to enforce authentication even when a token is configured in credentials.yml. The issue allows submitting voice data from unauthenticated sources via affected connectors. The fixed releases apply to audiocodes, audiocodes_stream, and gen...

CVE-2025-32017

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 an...

CVE-2025-32033

The Apollo Router Core is a configurable, high-performance graph router written in Rust to run a federated supergraph that uses Apollo Federation 2. Prior to 1.61.2 and 2.1.1, the operation limits plugin uses unsigned 32-bit integers to track limit counters e.g. for a query's height. If a counter...

CVE-2025-31137 Remix and React Router allow URL manipulation via Host / X-Forwarded-Host headers

React Router is a multi-strategy router for React bridging the gap from React 18 to React 19. There is a vulnerability in Remix/React Router that affects all Remix 2 and React Router 7 consumers using the Express adapter. Basically, this vulnerability allows anyone to spoof the URL used in an...

CVE-2025-24808

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due...

CVE-2025-29924

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

CVE-2025-0431

Enterprise Protection contains a vulnerability in URL rewriting that allows an unauthenticated remote attacker to send an email which bypasses URL protections impacting the integrity of recipient's email. This occurs due to improper filtering of backslashes within URLs and affects all versions of...

go-redis allows potential out of order responses when `CLIENT SETINFO` times out during connection establishment

Impact The issue only occurs when the CLIENT SETINFO command times out during connection establishment. The following circumstances can cause such a timeout: 1. The client is configured to transmit its identity. This can be disabled via the DisableIndentity flag. 2. There are network connectivity...