PT-2025-50231

Name of the Vulnerable Software and Affected Versions OpenBMCS version 2.4 Description The software contains a flaw that allows privilege escalation from a read user to an admin user. This is achieved by manipulating permissions and exploiting a weakness in the update user permissions.php script...

Amazon Linux 2023 : cni-plugins (ALAS2023-2025-1287)

It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2023-2025-1287 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6 addresses to be included in square brackets within the host component of a URL...

EUVD-2025-201795

Client-side template injection CSTI in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege...

Amazon Linux 2 : cni-plugins, --advisory ALAS2-2025-3078 (ALAS-2025-3078)

The version of cni-plugins installed on the remote host is prior to 1.7.1-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-3078 advisory. net/url: insufficient validation of bracketed IPv6 hostnames The Parse function permitted values other than IPv6...

CVE-2025-65271

Client-side template injection CSTI in Azuriom CMS admin dashboard allows a low-privilege user to execute arbitrary template code in the context of an administrator's session. This can occur via plugins or dashboard components that render untrusted user input, potentially enabling privilege...

CVE-2025-12130 WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors <= 2.6.4 - Cross-Site Request Forgery to Vendor Product Deletion

The WC Vendors – WooCommerce Multivendor, WooCommerce Marketplace, Product Vendors plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.6.4. This is due to missing or incorrect nonce validation on the /vendordashboard/product/delete/ endpoint...

ch.iterial.keycloak.plugins:keycloak-directus-plugin (>=0.1.0 <=0.7.0), com.c4-soft.springaddons:keycloak-grants-mapper (>=3.1.13-jdk1.8 <=3.1.14-jdk17) +181 more potentially affected by CVE-2025-14083 via org.keycloak:keycloak-services (>=10.0.0 <=26.4.7)

org.keycloak:keycloak-services MAVEN version =10.0.0, =0.1.0, =3.1.13-jdk1.8, =11.0.1, =1.2.6, =1.2.5, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.2.4, =1.4.11 - com.github.wnameless.spring.boot.up:spring-boot-up-embedded-keycloak =24.3.0.0 -...

AZL-71510 CVE-2025-65637 affecting package cni-plugins for versions less than 1.4.0-4

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving...

AZL-71563 CVE-2025-65637 affecting package cni-plugins for versions less than 1.3.0-10

A denial-of-service vulnerability exists in github.com/sirupsen/logrus when using Entry.Writer to log a single-line payload larger than 64KB without newline characters. Due to limitations in the internal bufio.Scanner, the read fails with "token too long" and the writer pipe is closed, leaving...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 24, 2025 to November 30, 2025)

Last week, there were 126 vulnerabilities disclosed in 113 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 60 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

📄 AI Plugins 1.10.9 Shell Upload

This Metasploit module exploits unauthenticated arbitrary file upload vulnerabilities in multiple WordPress AI plugins including Cibeles AI, AI Feeds, and AI Buddy. The vulnerabilities allow attackers to upload PHP webshells via GitHub integration functionality...

CLSA-2025-1764688338 gstreamer1-plugins-good: Fix of CVE-2024-47537

CVE-2024-47537: qtdemux: fix integer overflow when allocating the samples table for fragmented MP4...

BIT-FLUENT-BIT-2025-12978 CVE-2025-12978

Fluent Bit inhttp, insplunk, and inelasticsearch input plugins contain a flaw in the tagkey validation logic that fails to enforce exact key-length matching. This allows crafted inputs where a tag prefix is incorrectly treated as a full match. A remote attacker with authenticated or exposed acces...

Important: Red Hat Security Advisory: Red Hat Developer Hub 1.7.3 release.

Red Hat Developer Hub 1.7.3 has been released. Red Hat Developer Hub RHDH is Red Hat's enterprise-grade, self-managed, customizable developer portal based on Backstage.io. RHDH is supported on OpenShift and other major Kubernetes clusters AKS, EKS, GKE. The core features of RHDH include a single...

Fluent Bit < 4.0.12 / 4.1.x < 4.1.1 Multiple Vulnerabilities

The version of Fluent Bit running on the remote host is prior to 4.0.12, or 4.1.x prior to 4.1.1. It is, therefore, affected by multiple vulnerabilities, including: - Fluent Bit inhttp, insplunk, and inelasticsearch input plugins fail to sanitize tagkey inputs. An attacker with network access or...

CLSA-2025-1764325377 gstreamer1-plugins-base: Fix of CVE-2024-47615

CVE-2024-47615: fix OOB-Write in gstparsevorbissetuppacket by validating integer size input to prevent memory corruption...

Exploit for Path Traversal in Grafana

CVE-2021-43798 CVE-2021-43798 is a high-severity path traversa...

Wordfence Intelligence Weekly WordPress Vulnerability Report (November 17, 2025 to November 23, 2025)

Last week, there were 167 vulnerabilities disclosed in 152 WordPress Plugins and 2 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 69 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities...

CVE-2025-12977

Fluent Bit inhttp, insplunk, and inelasticsearch input plugins fail to sanitize tagkey inputs. An attacker with network access or the ability to write records into Splunk or Elasticsearch can supply tagkey values containing special characters such as newlines or ../ that are treated as valid tags...

Fluent Bit contains five vulnerabilities, including stack buffer overflow, auth bypass, and path traversal

Overview Fluent Bit is a logging and metrics processor and forwarder that is used in a variety of cloud and container networking environments. Several vulnerabilities in Fluent Bit have been discovered that could allow for authentication bypass, remote code execution RCE and denial of service DoS...