Security update for sudo

This update for sudo fixes the following issues: CVE-2025-32462: Fixed a possible local privilege escalation via the --host option bsc1245274. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you...

Janssen Config API returns results without scope verification

Impact What kind of vulnerability is it? Who is impacted? The configAPI is an internal service and hence should never be exposed to the internet. With that said, this is a serious vulnerability that has a large internal surface attack area that exposes all sorts of information from the IDP...

CVE-2025-52898 Frappe account takeover via password reset token leakage

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, a carefully crafted request could lead to a malicious actor getting access to a user's password reset token. This can only be exploited on self hosted instances configured in a certain way. Frappe Cloud users...

CVE-2025-52898

CVE-2025-52898 affects the Frappe framework (self-hosted deployments) prior to versions 14.94.3 and 15.58.0. A carefully crafted request could allow an attacker to access a user’s password reset token, with impact on confidentiality, integrity, and availability as reflected in the CVE metrics. Fr...

CVE-2025-52896

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...

CVE-2025-52895

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There...

CVE-2025-52896 Frappe authenticated XSS via data import

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...

CVE-2025-52896

CVE-2025-52896 affects Frappe (full‑stack web app framework). Prior to versions 14.94.2 and 15.57.0, authenticated users could upload crafted files via Data Import, causing cross‑site scripting (XSS). The issue is patched in 14.94.2 and 15.57.0; upgrade is the recommended remediation. No public w...

CVE-2025-52896 Frappe authenticated XSS via data import

Frappe is a full-stack web application framework. Prior to versions 14.94.2 and 15.57.0, authenticated users could upload carefully crafted malicious files via Data Import, leading to cross-site scripting XSS. This issue has been patched in versions 14.94.2 and 15.57.0. There are no workarounds f...

CVE-2025-52895 Frappe possibility of SQL injection due to improper validations

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There...

CVE-2025-52895 Frappe possibility of SQL injection due to improper validations

Frappe is a full-stack web application framework. Prior to versions 14.94.3 and 15.58.0, SQL injection could be achieved via a specially crafted request, which could allow malicious person to gain access to sensitive information. This issue has been patched in versions 14.94.3 and 15.58.0. There...

CVE-2025-52895

CVE-2025-52895 affects the Frappe web framework. The vulnerability is a SQL injection that can be triggered by a specially crafted request, potentially exposing sensitive data. Affected versions are before 14.94.3 and 15.58.0. The issue has been patched in 14.94.3 and 15.58.0; there are no workar...

Security update for sudo

This update for sudo fixes the following issues: CVE-2025-32462: Fixed a possible local privilege escalation via the --host option bsc1245274. Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you...

CVE-2025-38088 powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap

In the Linux kernel, the following vulnerability has been resolved: powerpc/powernv/memtrace: Fix out of bounds issue in memtrace mmap memtrace mmap issue has an out of bounds issue. This patch fixes the by checking that the requested mapping region size should stay within the allocated region si...

PT-2025-27432 · Code Projects · Code-Projects Inventory Management System

Name of the Vulnerable Software and Affected Versions: code-projects Inventory Management System version 1.0 Description: A critical issue affects the processing of the file /php action/removeUser.php. The manipulation of the userid argument leads to SQL injection. The attack can be initiated...

PT-2025-27425 · Unknown · Daily Expense Manager

Name of the Vulnerable Software and Affected Versions: Daily Expense Manager version 1.0 Description: A Reflected Cross-Site Scripting XSS issue exists, allowing an attacker to execute JavaScript code. This is achieved by sending a POST request through the username parameter in the "/login.php" A...

PT-2025-27412 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.11 Description: DataEase is an open source business intelligence and data visualization tool. There is a bypass vulnerability in DataEase's PostgreSQL Data Source JDBC Connection Parameters. The sslfactory and...

PT-2025-27426 · Unknown · Daily Expense Manager

Name of the Vulnerable Software and Affected Versions: Daily Expense Manager version 1.0 Description: The issue is a Reflected Cross-Site Scripting XSS vulnerability that allows an attacker to execute JavaScript code. This is achieved by sending a POST request through the password and confirm...

CVE-2025-53018

Lychee is a free, open-source photo-management tool. Prior to version 6.6.13, a critical Server-Side Request Forgery SSRF vulnerability exists in the /api/v2/Photo::fromUrl endpoint. This flaw lets an attacker instruct the application’s backend to make HTTP requests to any URL they choose...

PT-2025-27388 · Sourcecodester · Sourcecodester Best Pos Management System

Name of the Vulnerable Software and Affected Versions: SourceCodester Best Salon Management System version 1.0 Description: A critical issue was found in the system, affecting some unknown functionality of the file /panel/add-category.php. The manipulation of the Name argument leads to SQL...