Moderate: Red Hat Security Advisory: OpenShift Container Platform 4.15.58 bug fix and security update

Red Hat OpenShift Container Platform release 4.15.58 is now available with updates to packages and images that fix several bugs and add enhancements. This release includes a security update for Red Hat OpenShift Container Platform 4.15. Red Hat Product Security has rated this update as having a...

CVE-2025-59821

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, DNN’s URL/path handling and template rendering can allow specially crafted input to be reflected into a user profile that is returned to the browser. In these cases,...

Fedora 42 : rust-az-cvm-vtpm / rust-az-snp-vtpm / rust-az-tdx-vtpm / etc (2025-2408b72979)

The remote Fedora 42 host has packages installed that are affected by multiple vulnerabilities as referenced in the FEDORA-2025-2408b72979 advisory. Rebase trustee-guest-components to v0.13.0 Include rust-az-???-vtpm packages rebase to version 0.7.4 Adjust patches to work with 'sev' version 6...

Photon OS 5.0: Linux PHSA-2025-5.0-0626

An update of the linux package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-5.0-0626. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

CVE-2025-59433

Conventional Changelog generates changelogs and release notes from a project's commit messages and metadata. Prior to version 2.0.0, @conventional-changelog/git-client has an argument injection vulnerability. This vulnerability manifests with the library's getTags API, which allows extra paramete...

CVE-2025-59525 Horilla has Improper Input Sanitization Leading to XSS and Admin Account Takeover

Horilla is a free and open source Human Resource Management System HRMS. Prior to version 1.4.0, improper sanitization across the application allows XSS via uploaded SVG and via allowed , which can be chained to execute JavaScript whenever users view impacted content e.g., announcements. This can...

CVE-2025-8869

CVENote (CVE-2025-8869): Pip’s tar extraction fallback, used on Python builds that do not implement PEP 706, may fail to prevent symbolic links from pointing outside the extraction directory. This is a vulnerability in the tar extraction path, not in all Python tar handling. Affected scenario occ...

[R1] Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1

R1 Stand-alone Security Patch Available for Tenable Security Center versions 6.5.1 and 6.6.0: SC-202509.1 Jason Schavel Wed, 09/24/2025 - 10:34 Security Center leverages third-party software to help provide underlying functionality. One of the third-party components PostgreSQL was found to contai...

Security update for the Linux Kernel (Live Patch 60 for SLE 12 SP5)

This update for the Linux Kernel 4.12.14-122228 fixes several issues. The following security issues were fixed: CVE-2024-49860: ACPI: sysfs: validate return type of STR method bsc1231862. CVE-2025-38177: schhfsc: make hfscqlennotify idempotent bsc1246356. CVE-2025-38181: calipso: Fix null-ptr-der...

PT-2025-39385

Name of the Vulnerable Software and Affected Versions Lobe Chat versions prior to 1.130.1 Description Lobe Chat, an open-source artificial intelligence chat framework, has an issue in its OIDC redirect handling logic. The logic builds the redirect URL’s host and protocol using the X-Forwarded-Hos...

PT-2025-39387

Name of the Vulnerable Software and Affected Versions EmbedVideo Extension versions prior to 4.0.0 Description The EmbedVideo Extension for MediaWiki, which includes a parser function called ev and parser tags for embedding video clips, contains a flaw. Versions 4.0.0 and earlier permit the...

CVE-2025-58354 Kata Containers coco-tdx malicious host can circumvent initdata verification

Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines VMs that perform like containers. In Kata Containers versions from 3.20.0 and before, a malicious host can circumvent initdata verification. On TDX systems running confidential guests, ...

CVE-2025-59822 Http4s vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section

Http4s is a Scala interface for HTTP services. In versions from 1.0.0-M1 to before 1.0.0-M45 and before 0.23.31, http4s is vulnerable to HTTP Request Smuggling due to improper handling of HTTP trailer section. This vulnerability could enable attackers to bypass front-end servers security controls...

CVE-2025-59546

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched ...

CVE-2025-59546 DNN Vulnerable to Stored XSS Using Backend Admin Credentials

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, administrators and content editors can set html in module titles that could include javascript which could be used for XSS based attacks. This issue has been patched ...

Security update for nvidia-open-driver-G06-signed

This update for nvidia-open-driver-G06-signed fixes the following issues: Update non-CUDA variant to 580.82.07 bsc1249235 Update non-CUDA variant to 580.76.05 bsc1247907 get rid of rule of older KMPs not to load nvidiadrm module, which are still installed in parallel and therefore still active...

CLSA-2025-1758635329 Fix CVE(s): CVE-2025-57807

SECURITY UPDATE: heap out-of-bounds write in BlobStream WriteBlob - debian/patches/CVE-2025-57807.patch: enforce extent ≥ offset + length when forward-seeking before writes in MagickCore/blob.c - CVE-2025-57807...

PT-2025-39192

Name of the Vulnerable Software and Affected Versions DNN formerly DotNetNuke versions prior to 10.1.0 Description DNN formerly DotNetNuke is an open-source web content management platform. Administrators and content editors could set HTML in module titles, potentially including JavaScript. This...

CVE-2025-59535 DotNetNuke.Core allows loading of unused themes on anonymous clients through query parameters

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on...

CVE-2025-59535 DotNetNuke.Core allows loading of unused themes on anonymous clients through query parameters

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 10.1.0, arbitrary themes can be loaded through query parameters. If an installed theme had a vulnerability, even if it was not used on any page, this could be loaded on...