CVE-2025-52570 Letmein connection limiter allows an arbitrary amount of simultaneous connections

Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections TCP, UDP and Unix socket for the services letmeind and letmeinfwd. Therefore, the command line option...

CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the applicationurl configuration is unset default behavior. This allows an attacker to...

CVE-2025-52560 Kanboard Password Reset Poisoning via Host Header Injection

Kanboard is project management software that focuses on the Kanban methodology. Prior to version 1.2.46, Kanboard allows password reset emails to be sent with URLs derived from the unvalidated Host header when the applicationurl configuration is unset default behavior. This allows an attacker to...

CVE-2025-52574 SysmonElixir path traversal in /read endpoint allows arbitrary file read

SysmonElixir is a system monitor HTTP service in Elixir. Prior to version 1.0.1, the /read endpoint reads any file from the server's /etc/passwd by default. In v1.0.1, a whitelist was added that limits reading to only files under priv/data. This issue has been patched in version 1.0.1...

PT-2025-26743

Name of the Vulnerable Software and Affected Versions: Quest KACE Systems Management Appliance SMA versions 13.0.x through 13.0.384 Quest KACE Systems Management Appliance SMA versions 13.1.x through 13.1.80 Quest KACE Systems Management Appliance SMA versions 13.2.x through 13.2.182 Quest KACE...

PT-2025-26779 · Hikka · Hikka

Name of the Vulnerable Software and Affected Versions: Hikka versions prior to 1.6.2 Description: A vulnerability in Hikka Telegram userbot allows an unauthenticated attacker to gain access to a victim's Telegram account and full access to the server. The issue affects all users of versions below...

PT-2025-26753 · Unknown · Phpgurukul Online Dj Booking Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Online DJ Booking Management System version 2.0 Description: The issue concerns Cross Site Scripting XSS in specific API endpoints, namely "/admin/view-booking-detail.php" and "/admin/invoice-generating.php". Recommendations: For...

GHSA-JPV7-P47H-F43J letmein connection limiter allows an arbitrary amount of simultaneous connections

Impact The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections TCP, UDP and Unix socket for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of...

GHSA-9F65-56V6-GXW7 Claude Code Improper Authorization via websocket connections from arbitrary origins

Claude Code extensions in VSCode and forks e.g., Cursor, Windsurf, and VSCodium and JetBrains IDEs e.g., IntelliJ, Pycharm, and Android Studio are vulnerable to unauthorized websocket connections from an attacker when visiting attacker-controlled webpages. Claude Code for VSCode IDE extensions...

CVE-2025-52562

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...

CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...

CVE-2025-52562 Convey Panel Directory Traversal in LocaleController leading to Remote Code Execution

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially...

CVE-2025-49126 Visionatrix Vulnerable to Reflected XSS Leading to Exfiltration of Secrets

Visionatrix is an AI Media processing tool using ComfyUI. In versions 1.5.0 to before 2.5.1, the /docs/flows endpoint is vulnerable to a Reflected XSS Cross-Site Scripting attack allowing full takeover of the application and exfiltration of secrets stored in the application. The implementation us...

Security update for gpg2

This update for gpg2 fixes the following issues: CVE-2025-30258: Fixed a verification DoS due to a malicious subkey in the keyring. bsc1239119 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you...

Bypass of Mysql Jdbc Attck for CVE-2025-6507

Credits Le1ahttps://github.com/Le1a A1kaidhttps://github.com/for-A1kaid ph0ebushttps://github.com/ph0ebus Description Attackers can exploit this vulnerability to read any system file and even execute arbitrary code through deserialization. The project manager fixed CVE-2025-6507 which I discovere...

CVE-2025-49590

CryptPad is a collaboration suite. Prior to version 2025.3.0, the "Link Bouncer" functionality attempts to filter javascript URIs to prevent Cross-Site Scripting XSS, however this can be bypassed. There is an "early allow" code path that happens before the URI's protocol/scheme is checked, which ...

CVE-2022-50163

In the Linux kernel, the following vulnerability has been resolved: ax25: fix incorrect devtracker usage While investigating a separate rose issue 1, and enabling CONFIGNETDEVREFCNTTRACKER=y, Bernard reported an orthogonal ax25 issue 2 An ax25dev can be used by one or many struct ax25cb. We thus...

CVE-2025-52552

FastGPT is an AI Agent building platform. Prior to version 4.9.12, the LastRoute Parameter on login page is vulnerable to open redirect and DOM-based XSS. Improper validation and lack of sanitization of this parameter allows attackers execute malicious JavaScript or redirect them to...

CVE-2025-6283

A vulnerability was found in xataio Xata Agent up to 0.3.0. It has been classified as problematic. This affects the function GET of the file apps/dbagent/src/app/api/evals/route.ts. The manipulation of the argument passed leads to path traversal. Upgrading to version 0.3.1 is able to address this...

CVE-2025-52487

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. In versions 7.0.0 to before 10.0.1, DNN.PLATFORM allows a specially crafted request or proxy to be created that could bypass the design of DNN Login IP Filters allowing login attempts from IP...