CVE-2025-38077 platform/x86: dell-wmi-sysman: Avoid buffer overflow in current_password_store()

In the Linux kernel, the following vulnerability has been resolved: platform/x86: dell-wmi-sysman: Avoid buffer overflow in currentpasswordstore If the 'buf' array received from the user contains an empty string, the 'length' variable will be zero. Accessing the 'buf' array element with index...

CVE-2025-38056 ASoC: SOF: Intel: hda: Fix UAF when reloading module

In the Linux kernel, the following vulnerability has been resolved: ASoC: SOF: Intel: hda: Fix UAF when reloading module hdagenericmachineselect appends -idisp to the tplg filename by allocating a new string with devmkasprintf, then stores the string right back into the global variable...

Veeam Patches CVE-2025-23121: Critical RCE Bug Rated 9.9 CVSS in Backup & Replication

Veeam has rolled out patches to contain a critical security flaw impacting its Backup & Replication software that could result in remote code execution under certain conditions. The security defect, tracked as CVE-2025-23121, carries a CVSS score of 9.9 out of a maximum of 10.0. "A vulnerability...

CVE-2025-50202

Lychee (PHP-based photo-management tool) has a path traversal vulnerability in SecurePathController.php affecting versions 6.6.6–6.6.9. The issue allows leakage of local files, including environment variables, nginx logs, other users’ uploaded images, and configuration secrets. The root cause is ...

PT-2025-26171 · Open5Gs · Open5Gs

Name of the Vulnerable Software and Affected Versions: open5gs versions 2.7.2 and earlier Description: A missing length check in the ogs pfcp subnet add function from the PFCP library allows a local attacker to cause a Buffer Overflow by changing the session.dnn field with a value with length...

PT-2025-26082 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A buffer overflow issue has been identified in the Linux kernel, specifically in the cp2112 xfer function. The read length variable, which is provided by data-block0 and comes from use...

PT-2025-25976 · Linux +1 · Linux Kernel +1

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A potential buffer overflow issue has been identified in the Linux kernel, specifically in the ASoC: SOF: Intel: hda component. The issue arises from the use of snprintf, which returns...

PT-2025-25978 · Linux · Linux Kernel

Name of the Vulnerable Software and Affected Versions: Linux kernel affected versions not specified Description: A potential buffer overflow issue has been identified in the Linux kernel, specifically in the ASoC: Intel: avs component. The issue arises from the use of snprintf, which returns the...

CVE-2025-49843

The CVE-2025-49843 issue affects conda-smithy prior to version 3.47.1, where the travis_headers function creates files with permissions exceeding 0o600, potentially allowing read/write access beyond the intended user. This weakens least-privilege protections and could let an attacker access confi...

CVE-2025-49843 conda-smithy Has Incorrect Default File Permissions

conda-smithy is a tool for combining a conda recipe with configurations to build using freely hosted CI services into a single repository. Prior to version 3.47.1, the travisheaders function in the conda-smithy repository creates files with permissions exceeding 0o600, allowing read and write...

CVE-2025-49842

conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. Prior to version 2025.3.24, the condaforgewebservice Docker container executes commands without specifying a user. By default, Docker containers run as the root user, which increases the risk of privile...

WordPress Master Slider plugin <= 3.10.8 - Authenticated (Contributor+) Stored Cross-Site Scripting via masterslider_pb and ms_slide Shortcodes vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via mastersliderpb and msslide Shortcodes vulnerability discovered by muhammad yudha in WordPress Plugin Master Slider versions = 3.10.8...

Security Bulletin: IBM Cloud Pak for Data is vulnerable to Cross-site Scripting (XSS) due to server-static package ( CVE-2024-43800 )

Summary Potential vulnerabilities in server-static package CVE-2024-43800 has been identified that may affect IBM Cloud Pak for Data. Vulnerability Details CVEID:CVE-2024-43800 DESCRIPTION: serve-static serves static files. serve-static passes untrusted user input - even after sanitizing it - to...

CVE-2025-49823 Conda Constructor Command Injection via Unsanitized User Input (Low)

conda Constructor is a tool which allows constructing an installer for a collection of conda packages. Prior to version 3.11.3, shell installer scripts process the installation prefix userprefix using an eval statement, which executes unsanitized user input as shell code. Although the script runs...

CVE-2025-48993 Group-Office vulnerable to reflected XSS via Look and Feel Formatting input

Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.123 and 25.0.27, a malicious JavaScript payload can be executed via the Look and Feel formatting fields. Any user can update their Look and Feel Formatting input fields, but the web applicatio...

PT-2025-25609 · Unknown · Steel Browser

Name of the Vulnerable Software and Affected Versions: Steel Browser versions up to 0.1.3 Description: A critical vulnerability was found in Steel Browser, affecting the handleFileUpload function of the file api/src/modules/files/files.routes.ts. The manipulation of the filename argument leads to...

CVE-2025-30681 affecting package mysql for versions less than 8.0.42-1

CVE-2025-30681 affecting package mysql for versions less than 8.0.42-1. An upgraded version of the package is available that resolves this issue...

CVE-2025-30683 affecting package mysql for versions less than 8.0.42-1

CVE-2025-30683 affecting package mysql for versions less than 8.0.42-1. An upgraded version of the package is available that resolves this issue...

Security Updates for Outlook (June 2025)

The Microsoft Outlook application installed on the remote host is missing a security update. It is, therefore, affected by the following vulnerability: - A remote code execution vulnerability. An attacker can exploit this to bypass authentication and execute unauthorized arbitrary commands...

CVE-2025-49134

Weblate is a web based localization tool. Prior to version 5.12, the audit log notifications included the full IP address of the acting user. This could be obtained by third-party servers such as SMTP relays, or spam filters. This issue has been patched in version 5.12...