PT-2025-48988

Name of the Vulnerable Software and Affected Versions Step CA versions prior to 0.29.0 Description Step CA is an online certificate authority for secure, automated certificate management for DevOps. A flaw exists in the authorization check for SSH certificate revocation, specifically impacting...

CVE-2025-66289

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, o...

CVE-2025-66289

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, o...

GHSA-WMJR-V86C-M9JJ Better Auth's multi-session sign-out hook allows forged cookies to revoke arbitrary sessions

Summary A vulnerability was identified in the multi-session plugin for Better Auth, specifically in the /sign-out after-hook. The hook trusts raw multi-session cookies and forwards the extracted values directly to internalAdapter.deleteSessions without verifying the cookie signature. Because cook...

JLSEC-2025-209 An issue was discovered in Arm Mbed TLS before 2.24.0

An issue was discovered in Arm Mbed TLS before 2.24.0. mbedtlsx509crlparseder has a buffer over-read of one byte...

JLSEC-2025-208 An issue was discovered in Arm Mbed TLS before 2.24.0

An issue was discovered in Arm Mbed TLS before 2.24.0. It incorrectly uses a revocationDate check when deciding whether to honor certificate revocation via a CRL. In some situations, an attacker can exploit this by changing the local clock...

CVE-2025-61664

A vulnerability in the GRUB2 bootloader has been identified in the normal module. This flaw, a memory Use After Free issue, occurs because the normalexit command is not properly unregistered when its related module is unloaded. An attacker can exploit this condition by invoking the command after...

CVE-2025-61661

A vulnerability has been identified in the GRUB Grand Unified Bootloader component. This flaw occurs because the bootloader mishandles string conversion when reading information from a USB device, allowing an attacker to exploit inconsistent length values. A local attacker can connect a malicious...

CVE-2025-61662

A Use-After-Free vulnerability has been discovered in GRUB's gettext module. This flaw stems from a programming error where the gettext command remains registered in memory after its module is unloaded. An attacker can exploit this condition by invoking the orphaned command, causing the applicati...

CVE-2025-54771

A use-after-free vulnerability has been identified in the GNU GRUB Grand Unified Bootloader. The flaw occurs because the file-closing process incorrectly retains a memory pointer, leaving an invalid reference to a file system structure. An attacker could exploit this vulnerability to cause grub t...

CVE-2025-54770

A vulnerability has been identified in the GRUB2 bootloader's network module that poses an immediate Denial of Service DoS risk. This flaw is a Use-after-Free issue, caused because the netsetvlan command is not properly unregistered when the network module is unloaded from memory. An attacker who...

PT-2025-47368

Name of the Vulnerable Software and Affected Versions Wiki.js version 2.5.307 Description Wiki.js does not properly revoke or invalidate active JWT tokens when a user logs out. This allows previously issued tokens to remain valid and be reused to access the system, even after logout. The issue...

CVE-2025-56643

CVE-2025-56643 affects Wiki.js 2.5.307. The root cause is in the authentication resolver logic, where active JWT tokens are not properly revoked or invalidated on user logout. This leaves previously issued tokens valid for GraphQL and logout endpoints, enabling potential unauthorized access if a ...

CVE-2025-56643

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a toke...

EUVD-2025-198058

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a toke...

CVE-2025-56643

Requarks Wiki.js 2.5.307 does not properly revoke or invalidate active JWT tokens when a user logs out. As a result, previously issued tokens remain valid and can be reused to access the system, even after logout. This behavior affects session integrity and may allow unauthorized access if a toke...

CVE-2024-21635

Memos is a privacy-first, lightweight note-taking service that uses Access Tokens to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update the...

ProxyPrints: From Database Breach to Spoof, a Plug-And-Play Defense for Biometric Systems

Fingerprint recognition systems are widely deployed for authentication and forensic applications, but the security of stored fingerprint data remains a critical vulnerability. While many systems avoid storing raw fingerprint images in favor of minutiae-based templates, recent research shows that...

Memos' Access Tokens Stay Valid after User Password Change

Summary Access Tokens are used to authenticate application access. When a user changes their password, the existing list of Access Tokens stay valid instead of expiring. If a user finds that their account has been compromised, they can update their password. The bad actor though will still have...

EUVD-2024-19274

Memos' Access Tokens Stay Valid after User Password Change...