CVE-2025-49588 Linkwarden Local File Inclusion Vulnerability

Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn't do any validation before sending them to parsers and playwright, this can result in leak of other...

CVE-2025-53106

Graylog grant path vulnerability affects versions 6.2.0–6.2.4 and 6.3.0-alpha.1–6.3.0-rc.2. A weak permission check in the REST API token creation process lets a user with an account issue crafted requests to create API tokens for high-privilege users (including local Administrator), enabling pri...

CVE-2025-53106 Graylog vulnerable to privilege escalation through API tokens

Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the...

RHSA-2025:10118 Red Hat Security Advisory: Red Hat Product OCP Tools 4.12 OpenShift Jenkins security update

Bulletin has no description...

CVE-2025-24331 Nokia Single RAN baseband OAM service extensive capabilities

The Single RAN baseband OAM service is intended to run as an unprivileged service. However, it initially starts with root privileges and assigns certain capabilities before dropping to an unprivileged level. The capabilities retained from the root period are considered extensive after the privile...

CVE-2025-24328

Sending a crafted SOAP "set" operation message within the Mobile Network Operator MNO internal Radio Access Network RAN management network can cause Nokia Single RAN baseband OAM service component restart with software versions earlier than release 24R1-SR 1.0 MP. This issue has been corrected to...

Photon OS 4.0: Krb5 PHSA-2025-4.0-0823

An update of the krb5 package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-4.0-0823. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

PT-2025-27602 · WordPress · The Forminator Forms

Name of the Vulnerable Software and Affected Versions: The Forminator Forms – Contact Form, Payment Form & Custom Form Builder plugin for WordPress versions up to, and including, 1.44.2 Description: The issue is related to PHP Object Injection via deserialization of untrusted input in the entry...

PT-2025-27645 · Kotaemon · Kotaemon

Name of the Vulnerable Software and Affected Versions: kotaemon versions 0.10.6 and prior Description: The issue concerns an open-source RAG-based tool for document comprehension. In the affected versions, the index fn method in libs/ktem/ktem/index/file/ui.py accepts both URLs and local file pat...

PT-2025-27659

Name of the Vulnerable Software and Affected Versions Cisco Unified Communications Manager Unified CM versions 15.0.1.13010-1 through 15.0.1.13017-1 Cisco Unified Communications Manager Session Management Edition Unified CM SME versions 15.0.1.13010-1 through 15.0.1.13017-1 Description A...

SUSE: Security Advisory (SUSE-SU-2025:02165-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PYSEC-2025-61

Pillow is a Python imaging library. In versions 11.2.0 to before 11.3.0, there is a heap buffer overflow when writing a sufficiently large 64k encoded with default settings image in the DDS format due to writing into a buffer without checking for available space. This only affects users who save...

CVE-2025-27153 Escalade GLPI Plugin Vulnerable to Improper Access Control

Escalade GLPI plugin is a ticket escalation process helper for GLPI. Prior to version 2.9.11, there is an improper access control vulnerability. This can lead to data exposure and workflow disruptions. This issue has been patched in version 2.9.11...

CVE-2025-53100

RestDB's Codehooks.io MCP Server is an MCP server on the Codehooks.io platform. Prior to version 0.2.2, the MCP server is written in a way that is vulnerable to command injection attacks as part of some of its MCP Server tools definition and implementation. This could result in a user initiated...

CVE-2025-53103

JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are...

CVE-2025-53103 JUnit OpenTestReportGeneratingListener can leak Git credentials

JUnit is a testing framework for Java and the JVM. From version 5.12.0 to 5.13.1, JUnit's support for writing Open Test Reporting XML files can leak Git credentials. The impact depends on the level of the access token exposed through the OpenTestReportGeneratingListener. If these test reports are...

600,000 WordPress Sites Affected by Arbitrary File Deletion Vulnerability in Forminator WordPress Plugin

📢 Calling all Vulnerability Researchers and Bug Bounty Hunters!📢 🌞 Spring into Summer with Wordfence! Now through August 4, 2025, earn 2X bounty rewards forall in-scope submissions from our ‘High Threat’ list in software with fewer than 5 million active installs. Bounties up to $31,200 per...

CVE-2025-53099 Sentry Missing Invalidation of Authorization Codes During OAuth Exchange and Revocation

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a...

CVE-2025-53099 Sentry Missing Invalidation of Authorization Codes During OAuth Exchange and Revocation

Sentry is a developer-first error tracking and performance monitoring tool. Prior to version 25.5.0, an attacker with a malicious OAuth application registered with Sentry can take advantage of a race condition and improper handling of authorization code within Sentry to maintain persistence to a...

CVE-2025-53099

CVE-2025-53099 affects Sentry prior to 25.5.0. A race condition in handling of OAuth authorization codes could allow a malicious OAuth app to maintain persistence on a user’s account via timed requests/redirect flows and multiple authorization codes. The issue is mitigated by upgrading self-hoste...