CVE-2025-7785 thinkgem JeeSite SsoController.java sso redirect

A vulnerability classified as problematic was found in thinkgem JeeSite up to 5.12.0. This vulnerability affects the function sso of the file src/main/java/com/jeesite/modules/sys/web/SsoController.java. The manipulation of the argument redirect leads to open redirect. The attack can be initiated...

GHSA-VQPH-P5VC-G644 Grafana is vulnerable to XSS attacks through open redirects and path traversal

An open redirect vulnerability has been identified in Grafana OSS that can be exploited to achieve XSS attacks. The vulnerability was introduced in Grafana v11.5.0. The open redirect can be chained with path traversal vulnerabilities to achieve XSS. Fixed in versions 12.0.2+security-01,...

Ubuntu: Security Advisory (USN-7651-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

SUSE: Security Advisory (SUSE-SU-2025:02334-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

XWiki 7.2-milestone-2 < 16.4.7, 16.5.0-rc-1 < 16.10.3, 17.0.0-rc-1 < 17.0.0 RCE Vulnerability (GHSA-jp4x-w9cj-97q7)

Xwiki is prone to a remote code execution RCE vulnerability. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE = "cpe:/a:xwiki:xwiki";...

GHSA-76C9-3JPH-RJ3Q on-headers is vulnerable to http response header manipulation

Impact A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead Patches Users should upgrade to 1.1.0 Workarounds Uses are encouraged to upgrade to 1.1.0, but this issue can be worked around by passing an object t...

CVE-2025-49812 affecting package httpd for versions less than 2.4.64-1

CVE-2025-49812 affecting package httpd for versions less than 2.4.64-1. An upgraded version of the package is available that resolves this issue...

CVE-2025-49827

Conjur provides secrets management and application identity for infrastructure. Conjur OSS versions 1.19.5 through 1.22.0 and Secrets Manager, Self-Hosted formerly known as Conjur Enterprise 13.1 through 13.5 and 13.6 are vulnerable to bypass of the IAM authenticator. An attacker who can manipula...

CVE-2025-7339

on-headers is a node.js middleware for listening to when a response writes headers. A bug in on-headers versions 1.1.0 may result in response headers being inadvertently modified when an array is passed to response.writeHead. Users should upgrade to version 1.1.0 to receive a patch. Uses are...

CVE-2025-53622

DSpace open source software is a repository application which provides durable access to digital resources. Prior to versions 7.6.4, 8.2, and 9.1, a path traversal vulnerability is possible during the import of an archive in Simple Archive Format, either from command-line ./dspace import command ...

CVE-2025-54061 WeGIASQL Injection (Blind Time-Based) Vulnerability in idatendido_familiares Parameter on dependente_editarDoc.php Endpoint

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in versions prior to 3.4.6 in the idatendidofamiliares parameter of the /html/funcionario/dependenteeditarDoc.php endpoint. This vulnerability allo...

CVE-2025-54061

WeGIA is affected by an SQL Injection in versions prior to 3.4.6, exploitable via the idatendido_familiares parameter of the /html/funcionario/dependente_editarDoc.php endpoint. The underlying issue allows an attacker to manipulate SQL queries and access sensitive database data. The fix is to upg...

CVE-2025-53909

mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection SSTI vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows...

WordPress Universal Video Player - Addon for WPBakery Page Builder <= 3.2.1 - Cross Site Scripting (XSS) Vulnerability

WordPress Universal Video Player - Addon for WPBakery Page Builder = 3.2.1 - Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin Universal Video Player - Addon for WPBakery Page Builder versions = 3.2.1...

Cisco Warns of Critical ISE Flaw Allowing Unauthenticated Attackers to Execute Root Code

Cisco has disclosed a new maximum-severity security vulnerability impacting Identity Services Engine ISE and Cisco ISE Passive Identity Connector ISE-PIC that could permit an attacker to execute arbitrary code on the underlying operating system with elevated privileges. Tracked as CVE-2025-20337,...

Cisco ISE ERS InternalUser command injection

Added: 07/17/2025 Background Cisco Identity Services Engine ISE is a centralized user access control which provides network access policy for end users whether they connect through a wired or wireless network or by VPN. Problem A vulnerability in the Cisco ISE ERS API could allow remote,...

Microsoft Edge (Chromium-Based) < 138.0.3351.95 Multiple Vulnerabilities (Jun 2025)

Microsoft Edge Chromium-Based is prone to multiple vulnerabilities. SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only CPE =...

CVE-2025-53821

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. An Open Redirect vulnerability exists in the web application prior to version 3.4.5. The control.php endpoint allows to specify an arbitrary URL via the nextPage parameter, leading to an...

CVE-2025-53908

RomM is a self-hosted rom manager and player. Versions prior to 3.10.3 and 4.0.0-beta.3 have an authenticated path traversal vulnerability in the /api/raw endpoint. Anyone running the latest version of RomM and has multiple users, even unprivileged users, such as the kiosk user in the official...

CVE-2025-53904

The Scratch Channel is a news website that is under development as of time of this writing. The file /api/admin.js contains code that could make the website vulnerable to cross-site scripting. No known patches exist as of time of publication...