CVE-2025-43249

CVE-2025-43249 is a logic issue in macOS that can let an app gain root privileges. It is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7, and macOS Ventura 13.7.7. The CVSS vector indicates a local exploit with low attack complexity and required user interaction (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/...

CVE-2025-31278

CVE-2025-31278 is a WebKitGTK/WebKit2GTK memory corruption issue triggered by processing malicious web content. The connected documents confirm the vulnerability affecting WebKitGTK/WebKit in multiple ecosystems and provide concrete fixes: Debian/Ubuntu-style advisories fix webkit2gtk to version ...

CVE-2025-31273

CVE-2025-31273 is a memory corruption vulnerability in WebKit-based WebKitGTK/WebKit2GTK when processing malicious web content. Connected advisories confirm the issue and list concrete fixes across multiple distributions: Debian/webkit2gtk packages updated to 2.48.5-1~deb12u1/2.48.5-1~deb11u1, Fe...

CVE-2025-43248

A logic issue was addressed with improved restrictions. This issue is fixed in macOS Sequoia 15.6, macOS Sonoma 14.7.7. A malicious app may be able to gain root privileges...

CVE-2025-43229

CVE-2025-43229 affects Apple macOS Sequoia (15.6) and Safari (18.6); the issue, tied to WebKit, enables universal cross-site scripting when processing malicious web content due to a state-management flaw. The NVD entry lists a CVSS v3.1 base score of 6.1 (Network, Low attack complexity, User inte...

CVE-2025-31275

CVE-2025-31275 affects macOS Sequoia, with a permissions issue that could allow a sandboxed process to launch any installed app. The vulnerability is fixed in macOS Sequoia 15.6. Remediation: upgrade to Sequoia 15.6 (and apply Apple’s security updates). The CVE entry is corroborated by NVD/NIST a...

CVE-2025-54381 BentoML is Vulnerable to an SSRF Attack Through File Upload Processing

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.0 until 1.4.19, the file upload processing system contains an SSRF vulnerability that allows unauthenticated remote attackers to force the server to make arbitrary HTTP...

Security Bulletin: IBM Storage Ceph is vulnerable to Authorization Bypass in Grafana (CVE-2024-45337)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-45337 Vulnerability Details CVEID:CVE-2024-45337 DESCRIPTION: Applications and libraries which misuse connection.serverAuthenticate via...

Security Bulletin: IBM Storage Ceph is vulnerable to Data Amplification in Go-Jose in Grafana (CVE-2024-28180)

Summary Grafana is used by IBM Storage Ceph as a metrics dashboard. This bulletin identifies the steps to take to address the vulnerability in Grafana. CVE-2024-28180 Vulnerability Details CVEID:CVE-2024-28180 DESCRIPTION: Package jose aims to provide an implementation of the Javascript Object...

Umbraco Delivery API allows for cached requests to be returned with an invalid API key

Impact Umbraco's content delivery API can be restricted from public access such that an API key must be provided in a header to authorize the request. It's also possible to configure output caching, such that the delivery API outputs will be cached for a period of time, improving performance...

CVE-2025-5922 Retrievable password hash protecting TSplus admin console

Access to TSplus Remote Access Admin Tool is restricted to administrators unless "Disable UAC" option is enabled and requires a PIN code. In versions below v18.40.6.17 the PIN's hash is stored in a system registry accessible to regular users, making it possible to perform a brute-force attack usi...

RLSA-2025:8744 Moderate: kernel-rt security update

The kernel-rt packages provide the Real Time Linux Kernel, which enables fine-tuning for systems with extremely high determinism requirements. Security Fixes: kernel: um: Fix out-of-bounds read in LDT setup CVE-2022-49395 For more details about the security issues, including the impact, a CVSS...

Security Bulletin: IBM QRadar SIEM is affected by cross-site scripting ( CVE-2025-33097)

Summary IBM QRadar SIEM is affected by cross-site scripting . IBM has addressed the issue in the latest update. Vulnerability Details CVEID:CVE-2025-33097 DESCRIPTION: IBM QRadar SIEM is vulnerable to stored cross-site scripting. This vulnerability allows authenticated users to embed arbitrary...

PT-2025-31370 · Umbraco · Umbraco

Name of the Vulnerable Software and Affected Versions: Umbraco versions 13.0.0 through 13.9.2 Umbraco versions 15.0.0 through 15.4.1 Umbraco versions 16.0.0 through 16.1.0 Description: Umbraco’s content delivery API can be restricted to require an API key in a header for authorization. Output...

WordPress Magical Addons For Elementor plugin <= 1.3.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via Custom Attributes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via Custom Attributes vulnerability discovered by zer0gh0st in WordPress Plugin Magical Addons For Elementor versions = 1.3.8...

Security Bulletin: The following vulnerabilities that can affect IBM Storage Scale and the Management GUI are now included (CVE-2025-48050, CVE-2025-43865 and CVE-2025-43864)

Summary The following vulnerabilities that can affect IBM Storage Scale and the Management GUI and could provide weaker than expected security are now fixed CVE-2025-48050, CVE-2025-43865 and CVE-2025-43864. Vulnerability Details CVEID:CVE-2025-48050 DESCRIPTION: In DOMPurify through 3.2.5 before...

DEBIAN-CVE-2025-8194

There is a defect in the CPython “tarfile” module affecting the “TarFile” extraction and entry enumeration APIs. The tar implementation would process tar archives with negative offsets without error, resulting in an infinite loop and deadlock during the parsing of maliciously crafted tar archives...

CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability

Impact This vulnerability affects applications that: Use the ImageMagick handler for image processing imagick as the image library AND either: Allow file uploads with user-controlled filenames and process uploaded images using the resize method OR use the text method with user-controlled text...

CVE-2025-54418

CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing imagick as the image library and either allow file uploads with user-controlled filenames and process...

CVE-2025-54418 CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability

CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing imagick as the image library and either allow file uploads with user-controlled filenames and process...