Security update for the Linux Kernel (Live Patch 52 for SLE 15 SP3)

This update for the Linux Kernel 5.3.18-15030059188 fixes several issues. The following security issues were fixed: CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inetcreate bsc1235231. CVE-2022-49545: ALSA: usb-audio: Cancel pending work at closing a MIDI substream bsc1238730...

Security update for the Linux Kernel (Live Patch 5 for SLE 15 SP6)

This update for the Linux Kernel 6.4.0-1506002325 fixes several issues. The following security issues were fixed: CVE-2024-56601: net: inet: do not leave a dangling sk pointer in inetcreate bsc1235231. CVE-2024-50279: dm cache: fix out-of-bounds access to the dirty bitset when resizing bsc1233708...

Security Bulletin: There is a vulnerability in prism-1.28.0.jsused by IBM Maximo Asset Management application ( CVE-2024-53382)

Summary There is a vulnerability in prism-1.28.0.js used by IBM Maximo Asset Management application CVE-2024-53382 Vulnerability Details CVEID:CVE-2024-53382 DESCRIPTION: Prism aka PrismJS through 1.29.0 allows DOM Clobbering with resultant XSS for untrusted input that contains HTML but does not...

CVE-2024-56731

Gogs is an open source self-hosted Git service. Prior to version 0.13.3, it's still possible to delete files under the .git directory and achieve remote command execution due to an insufficient patch for CVE-2024-39931. Unprivileged user accounts can execute arbitrary commands on the Gogs instanc...

PT-2025-26992

Name of the Vulnerable Software and Affected Versions: Vacron Network Video Recorder NVR devices version 1.4 Description: A remote command injection issue exists due to improper input sanitization in the board.cgi script. This allows unauthenticated attackers to pass arbitrary commands to the...

PT-2025-26970 · Apple · Ios Simulator Mcp Server

Name of the Vulnerable Software and Affected Versions: iOS Simulator MCP Server versions prior to 1.3.3 Description: The issue concerns a command injection vulnerability in the MCP Server tool definition and implementation. The MCP Server exposes the tool ui tap, which relies on the Node.js child...

RHEL 10 : .NET 9.0 (RHSA-2025:8816)

The remote Redhat Enterprise Linux 10 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2025:8816 advisory. .NET is a managed-software framework. It implements a subset of the .NET framework APIs and several new APIs, and it includes a CLR implementation...

WordPress Red Art Theme <= 3.7 is vulnerable to PHP Object Injection

Software Red Art Type Theme Vulnerable versions = 3.7 Fixed in N/A OWASP Top 10 A3: Injection Classification PHP Object Injection CVE CVE-2025-52828 Patch priority High CVSS severity High 8.8 Developer Claim ownership PSID 443adc1cb34f Credits Frank Required privilege Subscriber Published 26 June...

WordPress WP Masonry & Infinite Scroll plugin <= 2.2 - Authenticated (Contributor+) Stored Cross-Site Scripting vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting vulnerability discovered by Peter Thaleikis in WordPress Plugin WP Masonry & Infinite Scroll versions = 2.2...

CVE-2025-52894 OpenBao Vulnerable to Unauthenticated Rekey Operation Cancellation

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of...

CVE-2025-52894

OpenBao exists to provide a software solution to manage, store, and distribute sensitive data including secrets, certificates, and keys. OpenBao before v2.3.0 allowed an attacker to perform unauthenticated, unaudited cancellation of root rekey and recovery rekey operations, effecting a denial of...

CVE-2025-52890 Incus vulnerable to antispoofing nftables firewall rule bypass on bridge networks with ACLs

Incus is a system container and virtual machine manager. When using an ACL on a device connected to a bridge, Incus versions 6.12 and 6.13generates nftables rules that partially bypass security options security.macfiltering, security.ipv4filtering and security.ipv6filtering. This can lead to ARP...

CVE-2025-52576 Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine vali...

CVE-2025-52576 Kanboard vulnerable to Username Enumeration via Login Behavior and Bruteforce Protection Bypass

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard is vulnerable to username enumeration and IP spoofing-based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can determine vali...

CVE-2025-52576

Kanboard prior to version 1.2.46 is vulnerable to username enumeration and IP spoofing–based brute-force protection bypass. By analyzing login behavior and abusing trusted HTTP headers, an attacker can enumerate valid usernames and bypass rate-limiting or IP-based blocking mechanisms, increasing ...

CVE-2025-52479

The CVE-2025-52479 issue affects URIs.jl (before v1.6.0) and HTTP.jl (before v1.10.17), enabling construction of URIs containing CR/LF characters and potentially enabling CRLF injection. The vulnerability is described in OSV-JLSEC-2025-1 and corroborated by Red Hat and CVE sources: using vulnerab...

CVE-2025-50179 Tuleap missing CSRF protection on tracker reports manipulation

Tuleap is an Open Source Suite to improve management of software developments and collaboration. An attacker could use a cross-site request forgery vulnerability in Tuleap Community Edition prior to version 16.8.99.1749830289 and Tuleap Enterprise Edition prior to version 16.9-1 to trick victims...

CVE-2025-49845 Discourse users are able to see their own whispers even after being removed from a group that has been configured to see whispers

Discourse is an open-source discussion platform. The visibility of posts typed whisper is controlled via the whispersallowedgroups site setting. Only users that belong to groups specified in the site setting are allowed to view posts typed whisper. However, it has been discovered that users of...

CVE-2025-49845

Discourse has a vulnerability (CVE-2025-49845) where users on versions prior to 3.4.6 (stable) or 3.5.0.beta8-dev (tests-passed) can still view their own whispers after losing visibility to posts typed whisper. The issue is fixed in 3.4.6 and 3.5.0.beta8-dev. No publicly provided workarounds are ...

CVE-2025-50178 GitForge.jl lacks validation for user provided fields

GitForge.jl is a unified interface for interacting with Git "forges." Versions prior to 0.4.3 lack input validation for user provided values in certain functions. In the GitForge.getrepo function for GitHub, the user can provide any string for the owner and repo fields. These inputs are not...