CVE-2025-54418 CodeIgniter4's ImageMagick Handler has Command Injection Vulnerability

CodeIgniter is a PHP full-stack web framework. A command injection vulnerability present in versions prior to 4.6.2 affects applications that use the ImageMagick handler for image processing imagick as the image library and either allow file uploads with user-controlled filenames and process...

Security update for jbigkit

This update for jbigkit fixes the following issues: Updated to version 2.1: CVE-2022-1210: Fixed denial of service in TIFF File Handler bsc1198146 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively...

CVE-2025-38494

CVE-2025-38494 (Linux kernel) : In the HID core, hid_hw_raw_request() checks were bypassed by a low-level transport path, allowing the use of invalid parameters. The vulnerability was resolved in the Linux kernel; advisories from Debian/Amazon/RHEL references confirm the fix. Impact is high (loca...

CVE-2025-38491

In the Linux kernel, the following vulnerability has been resolved: mptcp: make fallback action and fallback decision atomic Syzkaller reported the following splat: WARNING: CPU: 1 PID: 7704 at net/mptcp/protocol.h:1223 mptcpdofallback net/mptcp/protocol.h:1223 inline WARNING: CPU: 1 PID: 7704 at...

CVE-2025-38487 soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled

In the Linux kernel, the following vulnerability has been resolved: soc: aspeed: lpc-snoop: Don't disable channels that aren't enabled Mitigate e.g. the following: echo 1e789080.lpc-snoop /sys/bus/platform/drivers/aspeed-lpc-snoop/unbind ... 120.363594 Unable to handle kernel NULL pointer...

CVE-2025-38484 iio: backend: fix out-of-bound write

In the Linux kernel, the following vulnerability has been resolved: iio: backend: fix out-of-bound write The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simplewritetobuffer". But afterwards a string terminator is written to t...

CVE-2025-38484

In the Linux kernel, the following vulnerability has been resolved: iio: backend: fix out-of-bound write The buffer is set to 80 character. If a caller write more characters, count is truncated to the max available space in "simplewritetobuffer". But afterwards a string terminator is written to t...

CVE-2025-38474

CVE-2025-38474 affects the Linux kernel USB Sierra network driver. The issue arises from not verifying that the driver’s third USB endpoint is an interrupt input, since the code only checked for three endpoints and bulk in/out. The fix “rectifies the omission” by validating the endpoint type. Ups...

CVE-2025-38471

In the Linux kernel, the following vulnerability has been resolved: tls: always refresh the queue when reading sock After recent changes in net-next TCP compacts skbs much more aggressively. This unearthed a bug in TLS where we may try to operate on an old skb when checking if all skbs in the que...

CVE-2025-54414

Anubis is a Web AI Firewall Utility that weighs the soul of users' connections using one or more challenges in order to protect upstream resources from scraper bots. In versions 1.21.2 and below, attackers can craft malicious pass-challenge pages that cause a user to execute arbitrary JavaScript...

WordPress KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Theme <= 4.21.0 is vulnerable to Arbitrary File Deletion

Software KALLYAS - Creative eCommerce Multi-Purpose WordPress Theme Type Theme Vulnerable versions = 4.21.0 Fixed in 4.22.0 OWASP Top 10 A3: Injection Classification Arbitrary File Deletion CVE CVE-2025-6989 Patch priority Medium CVSS severity Medium 8.1 Developer EPC PSID fbbebe81e3b7 Credits...

CVE-2025-8219

CVE-2025-8219 affects Lingdang CRM up to version 8.6.4.7. The issue is an SQL injection in the HTTP POST Request Handler, caused by manipulation of the getvaluestring argument at /crm/crmapi/erp/tabdetail_moduleSave_dxkp.php. This can be triggered remotely. The vendor states all SQL injection vec...

DLA-4253-1 thunderbird - security update

Bulletin has no description...

WordPress Advanced iFrame plugin <= 2025.5 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by muhammad yudha in WordPress Plugin Advanced iFrame versions = 2025.5...

Opencast still publishes global system account credentials

Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous...

GHSA-J63H-HMGW-X4J7 Opencast still publishes global system account credentials

Description Opencast prior to versions 17.6 would incorrectly send the hashed global system account credentials ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous...

CVE-2024-13976 Commvault 11.20.0 - 11.36.0 Windows Maintenance Installer DLL Injection

A DLL injection vulnerability exists in Commvault for Windows 11.20.0, 11.28.0, 11.32.0, 11.34.0, and 11.36.0. During the installation of maintenance updates, an attacker with local access may exploit uncontrolled search path or DLL loading behavior to execute arbitrary code with elevated...

CVE-2025-38461

In the Linux kernel, the following vulnerability has been resolved: vsock: Fix transport TOCTOU Transport assignment may race with module unload. Protect newtransport from becoming a stale pointer. This also takes care of an insecure call in vsockuselocaltransport; add a lockdep assert. BUG: unab...

CVE-2025-38457

CVE-2025-38457 concerns a Linux kernel net/sched bug where grafting a qdisc to a non-existent parent class could cause a failure during qdisc initialization. The fix introduces early validation via qdisc_leaf so that attempting to attach to a non-class parent aborts before qdisc_create. Affected ...

CVE-2025-32988 affecting package gnutls for versions less than 3.7.11-4

CVE-2025-32988 affecting package gnutls for versions less than 3.7.11-4. A patched version of the package is available...