Arbitrary Code Injection

Overview org.webjars.npm:mermaid is a package for generation of diagrams and flowcharts from text in a similar manner as markdown. Affected versions of this package are vulnerable to Arbitrary Code Injection due to improper sanitization of configuration options such as fontFamily, themeCSS, and...

Use of Hard-coded Credentials

Overview Affected versions of this package are vulnerable to Use of Hard-coded Credentials via the interactive installer process. An attacker can gain unauthorized remote access to the host system by exploiting the default administrative credentials over SSH before the password is reset. This is...

EUVD-2021-17258

Malware in sbrugna...

EUVD-2022-7563

Malicious code in bioql PyPI...

PT-2025-32264

Name of the Vulnerable Software and Affected Versions OpenVPN Access Server affected versions not specified Description The vulnerability allows an attacker to perform JavaScript injection via the SAML relaystate. This could potentially lead to Remote Code Execution RCE. Recommendations At the...

PT-2025-27781 · Apache · Apache Httpd

Name of the Vulnerable Software and Affected Versions: Apache httpd affected versions not specified Description: The configuration of the Apache httpd webserver is partly insecure due to unnecessary activated modules. These modules pose a risk to the webserver, enabling directory listing...

CVE-2021-30327

Buffer overflow in sahara protocol while processing commands leads to overwrite of secure configuration data in Snapdragon Mobile, Snapdragon Compute, Snapdragon Auto, Snapdragon IOT, Snapdragon Connectivity, Snapdragon Voice & Music...

CVE-2024-12378

CVE-2024-12378 affects Arista EOS: when Secure Vxlan is configured, restarting the Tunnelsec agent may cause packets to be sent in plaintext over the secure Vxlan tunnel. In Arista’s advisory, affected EOS releases include 4.32.x, 4.31.x, 4.30.x, 4.29.x, 4.28.x and earlier in their respective tra...

Configure Proper SSH Key Exchange Algorithms

Key exchange is a process in which two parties exchange keys to allow the use of an encryption algorithm. A secure key exchange algorithm enables them to securely exchange keys, thereby using encryption algorithms to encrypt messages to be sent and decrypt received messages. Set the SSH key...

CVE-2025-30206

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers ...

CVE-2025-30206 Dpanel's hard-coded JWT secret leads to remote code execution

Dpanel is a Docker visualization panel system which provides complete Docker management functions. The Dpanel service contains a hardcoded JWT secret in its default configuration, allowing attackers to generate valid JWT tokens and compromise the host machine. This security flaw allows attackers ...

CVE-2025-30206

Dpanel uses a hard-coded JWT secret in its default configuration, enabling attackers to forge valid tokens and bypass authentication, potentially gaining full control of the host. The GO-2025-3612 entry cites remote code execution as the outcome of this flaw in github.com/donknap/dpanel. The advi...

Security Bulletin: Multiple vulnerabilities in Apache Solr (lucene) affects IBM Operations Analytics - Log Analysis (CVE-2023-50386, CVE-2023-50298, CVE-2023-50292, CVE-2023-50291)

Summary There are vulnerabilities in backup/restore APIs, Solr streaming expressions, and Apache Solr schema designer that affect Apache Solr used by IBM Operations Analytics - Log Analysis. Vulnerability Details CVEID:CVE-2023-50386 DESCRIPTION: Improper Control of Dynamically-Managed Code...

CVE-2025-25286

Crayfish is a collection of Islandora 8 microservices, one of which, Homarus, provides FFmpeg as a microservice. Prior to Crayfish version 4.1.0, remote code execution may be possible in web-accessible installations of Homarus in certain configurations. The issue has been patched in...

CISA Mandates Cloud Security for Federal Agencies by 2025 Under Binding Directive 25-01

The U.S. Cybersecurity and Infrastructure Security Agency CISA has issued Binding Operational Directive BOD 25-01, ordering federal civilian agencies to secure their cloud environments and abide by Secure Cloud Business Applications SCuBA secure configuration baselines. "Recent cybersecurity...

CISA Issues BOD 25-01, Implementing Secure Practices for Cloud Services

Today, CISA issued Binding Operational Directive BOD 25-01, Implementing Secure Practices for Cloud Services to safeguard federal information and information systems. This Directive requires federal civilian agencies to identify specific cloud tenants, implement assessment tools, and align cloud...

Impacts on ICS from the updated Cyber Assessment Framework (CAF)

NCSC has released an update of the Cyber Assessment Framework CAF. The CAF represents where the rubber hits the road for the UK’s NIS regulations. TL;DR The NCSC CAF has been updated to version 3.2. There has been a material change to three aspects of the CAF. The changes are broadly sensible and...

CISA Releases Microsoft 365 Secure Configuration Baselines and SCuBAGear Tool

CISA has published the finalized Microsoft 365 Secure Configuration Baselines, designed to bolster the security and resilience of organizations’ Microsoft 365 M365 cloud services. This guidance release is accompanied by the updated SCuBAGear toollink is external that assesses organizations’ M365...

CISA Releases SCuBA Google Workspace Secure Configuration Baselines for Public Comment

Today, CISA released the draft Secure Cloud Business Applications SCuBA Google Workspace GWS Secure Configuration Baselines and the associated assessment tool ScubaGoggleslink is external for public comment. The draft baselines offer minimum viable security configurations for nine GWS services:...

Adobe Coldfusion vulnerability used in attacks on government servers

The Cybersecurity and Infrastructure Security Agency CISA put out a Cybersecurity Advisory CSA to alert government agencies about cybercriminals using a vulnerability in Adobe Coldfusion to gain initial access to servers. Adobe ColdFusion is a platform for building and deploying web and mobile...