RHSA-2025:23425 Red Hat Security Advisory: kernel security update

Bulletin has no description...

CLSA-2025-1766050574 podman: Fix of CVE-2025-52881

CVE-2025-52881: fix security vulnerability in /proc file handle operations - Partial backport: add pathrs-lite library from runc v1.2.8 vendor directory...

Security Bulletin: Vulnerability in urllib3 affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-37891]

Summary The urllib3 package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-37891 Vulnerability Details CVEID:CVE-2024-37891 DESCRIPTION: urllib3 could allow a remote authenticated attacker to obtain sensitive information...

Two Chrome flaws could be triggered by simply browsing the web: Update now

Google issued an extra patch addressing two security vulnerabilities in Chrome, both of which can be triggered remotely by an attacker when a user visits a specially crafted, malicious web page. Chrome is by far the world’s most popular browser, with an estimated 3.4 billion users. That makes it ...

Security Bulletin: Vulnerability in requests affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2024-35195]

Summary The requests package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVEs CVE-2024-35195 Vulnerability Details CVEID:CVE-2024-35195 DESCRIPTION: Psf Requests could allow a local authenticated attacker to bypass security...

Security update for helm

This update for helm rebuilds it against current GO to fix security issues in go-stdlib. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you can run the command listed for your product: SUSE...

CVE-2025-11924

The Ninja Forms – The Contact Form Builder That Grows With You plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 3.13.2. This is due to the plugin not properly verifying that a user is authorized before the ninja-forms-views REST endpoints...

glibc security update

2.28-251.0.3.27 - Forward port of Oracle patches Reviewed-by: David Faust Oracle history: August-5-2025 Cupertino Miranda - 2.28-251.0.3.25 - Forward port of Oracle patches Reviewed-by: Jose E. Marchesi June-9-2025 Cupertino Miranda - 2.28-251.0.3.22 - Forward port of Oracle patches Reviewed-by:...

GHSA-3F5F-XGRJ-97PF Parse Server is vulnerable to Server-Side Request Forgery (SSRF) via Instagram OAuth Adapter

Impact The Instagram authentication adapter allows clients to specify a custom API URL via the apiURL parameter in authData. This enables SSRF attacks and possibly authentication bypass if malicious endpoints return fake responses to validate unauthorized users. Patches Fixed by hardcoding the...

Parse Server has a Cross-Site Scripting (XSS) vulnerability via Unescaped Mustache Template Variables

Impact A Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. Patches The patch escapes user controlled values that are inserted into the HTML pages. Workarounds None. Resources -...

CVE-2025-68142 PyMdown Extensions has ReDOS bug in Figure Capture extension

PyMdown Extensions is a set of extensions for the Python-Markdown markdown project. Versions prior to 10.16.1 have a ReDOS bug found within the figure caption extension pymdownx.blocks.caption. In systems that take unchecked user content, this could cause long hanges when processing the data if a...

EUVD-2025-203801

GLPI is a free asset and IT management software package. Starting in version 10.0.0 and prior to version 10.0.21, an unauthenticated user can store an XSS payload through the inventory endpoint. Users should upgrade to 10.0.21 to receive a patch...

CVE-2025-68313

In the Linux kernel, the following vulnerability has been resolved: x86/CPU/AMD: Add RDSEED fix for Zen5 There's an issue with RDSEED's 16-bit and 32-bit register output variants on Zen5 which return a random value of 0 "at a rate inconsistent with randomness while incorrectly signaling success...

UBUNTU-CVE-2025-68175

In the Linux kernel, the following vulnerability has been resolved: media: nxp: imx8-isi: Fix streaming cleanup on release The current implementation unconditionally calls mxcisivideocleanupstreaming in mxcisivideorelease. This can lead to situations where any release call like from a simple...

CVE-2025-68236

In the Linux kernel, the following vulnerability has been resolved: scsi: ufs: ufs-qcom: Fix UFS OCP issue during UFS power down PC=3 According to UFS specifications, the power-off sequence for a UFS device includes: - Sending an SSU command with PowerCondition=3 and await a response. - Asserting...

CVE-2025-68177

CVE-2025-68177: In Linux kernel, cpufreq/longhaul: longhaul_exit improperly dereferenced a NULL policy pointer. The fix adds an unlikely() guard and early return when policy is NULL, with upstream patchset released in kernel 6.6.120. Mageia OSVs indicate updated kernel packages (6.6.120) addressi...

CVE-2025-40358 riscv: stacktrace: Disable KASAN checks for non-current tasks

In the Linux kernel, the following vulnerability has been resolved: riscv: stacktrace: Disable KASAN checks for non-current tasks Unwinding the stack of a task other than current, KASAN would report "BUG: KASAN: out-of-bounds in walkstackframe+0x41c/0x460" There is a same issue on x86 and has bee...

EUVD-2025-203485

Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. In versions prior to 8.6.1 and 9.1.0-alpha.3, a Reflected Cross-Site Scripting XSS vulnerability exists in Parse Server's password reset and email verification HTML pages. The patch, available ...

ALTCHA Proof-of-Work Vulnerable to Challenge Splicing and Replay

Impact A cryptographic semantic binding flaw in ALTCHA libraries allows challenge payload splicing, which may enable replay attacks. The HMAC signature does not unambiguously bind challenge parameters to the nonce, allowing an attacker to reinterpret a valid proof-of-work submission with a modifi...

CVE-2025-64725

Weblate is a web based localization tool. In versions prior to 5.15, it was possible to accept an invitation opened by a different user. Version 5.15. contains a patch. As a workaround, avoid leaving one's Weblate sessions with an invitation opened unattended...