CVE-2025-31134 FreshRSS vulnerable to directory enumeration via ext.php

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server...

CVE-2025-31134

FreshRSS vulnerable before version 1.26.2 due to a directory existence check (ext.php related) that can disclose server information. An attacker could infer presence of older PHP versions or other installed software, aiding further targeted actions. Version 1.26.2 fixes the issue with a patch. Th...

CVE-2025-31134 FreshRSS vulnerable to directory enumeration via ext.php

FreshRSS is a self-hosted RSS feed aggregator. Prior to version 1.26.2, an attacker can gain additional information about the server by checking if certain directories exist. An attacker can, for example, check if older PHP versions are installed or if certain software is installed on the server...

CVE-2025-48935 Deno has --allow-read / --allow-write permission bypass in `node:sqlite`

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 2.2.0 and prior to versions 2.2.5, it is possible to bypass Deno's permission read/write db permission check by using ATTACH DATABASE statement. Version 2.2.5 contains a patch for the issue...

CVE-2025-48888 Deno run with --allow-read and --deny-read flags results in allowed

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, deno run --allow-read --deny-read main.ts results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions give...

CVE-2025-48888 Deno run with --allow-read and --deny-read flags results in allowed

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, deno run --allow-read --deny-read main.ts results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions give...

CVE-2025-48888 Deno run with --allow-read and --deny-read flags results in allowed

Deno is a JavaScript, TypeScript, and WebAssembly runtime. Starting in version 1.41.3 and prior to versions 2.1.13, 2.2.13, and 2.3.2, deno run --allow-read --deny-read main.ts results in allowed, even though 'deny' should be stronger. The result is the same with all global unary permissions give...

HPE Issues Security Patch for StoreOnce Bug Allowing Remote Authentication Bypass

Hewlett Packard Enterprise HPE has released security updates to address as many as eight vulnerabilities in its StoreOnce data backup and deduplication solution that could result in an authentication bypass and remote code execution. "These vulnerabilities could be remotely exploited to allow...

PT-2025-23790 · Unknown · Codeastro Real Estate Management System

Name of the Vulnerable Software and Affected Versions: CodeAstro Real Estate Management System version 1.0 Description: A critical issue affects the processing of the file /profile.php. The manipulation of the content argument leads to SQL injection. The attack can be initiated remotely. An explo...

SAMSUNG SMR 安全漏洞

SAMSUNG SMR is a system patch package from the South Korean company Samsung SAMSUNG. It provides patches for Samsung cell phone applications. A security vulnerability exists in versions prior to SAMSUNG SMR Jun-2025 Release 1, which stems from improper export of Android application components and...

PT-2025-23710 · Unknown · Freefloat Ftp Server

Name of the Vulnerable Software and Affected Versions: FreeFloat FTP Server version 1.0 Description: A critical issue affects an unknown functionality of the PBSZ Command Handler component, leading to a buffer overflow. This can be exploited remotely. The exploit has been publicly disclosed and m...

WordPress Spare Theme <= 1.7 is vulnerable to Cross Site Scripting (XSS)

Software Spare Type Theme Vulnerable versions = 1.7 Fixed in N/A OWASP Top 10 A3: Injection Classification Cross Site Scripting XSS CVE CVE-2025-31638 Patch priority Medium CVSS severity Medium 7.1 Developer Claim ownership PSID 7f04b8ce15e4 Credits Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity...

PT-2025-23840 · Deno · Deno

Name of the Vulnerable Software and Affected Versions: Deno versions 1.41.3 through 2.1.12 Deno versions 1.41.3 through 2.2.12 Deno versions 1.41.3 through 2.3.1 Description: The issue affects Deno, a JavaScript, TypeScript, and WebAssembly runtime, where the --deny- flag is not prioritized over...

PT-2025-23787 · Unknown · Codeastro Real Estate Management System

Name of the Vulnerable Software and Affected Versions: CodeAstro Real Estate Management System version 1.0 Description: A critical issue has been found in the system, affecting an unknown part of the file /login.php. The manipulation of the email argument leads to SQL injection. It is possible to...

go-toolset:ol8 security update

delve 1.24.1-1.0.1 - Disable DWARF compression which has issues Alex Burmashev golang 1.23.9-1 - Update to Go 1.23.9 - Resolves: RHEL-94636 go-toolset 1.23.9-1 - Update to Go 1.23.9 - Resolves: RHEL-94636...

PT-2025-23736

Name of the Vulnerable Software and Affected Versions Employee Directory – Staff Listing & Team Directory Plugin for WordPress versions up to, and including, 4.5.0 Description The issue is related to Stored Cross-Site Scripting via the plugin's 'emd mb meta' shortcode due to insufficient input...

SUSE: Security Advisory (SUSE-SU-2024:3787-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

WordPress FancyBox for WordPress plugin < 3.3.6 - Unauthenticated Stored XSS vulnerability

Unauthenticated Stored XSS vulnerability discovered by Pierre Rudloff, Marc Montpas in WordPress Plugin FancyBox for WordPress versions 3.3.6...

WordPress Newsletter plugin < 8.8.2 - Admin+ Stored XSS via Subscription vulnerability

Admin+ Stored XSS via Subscription vulnerability discovered by Dmitrii Ignatyev in WordPress Plugin NewsLetter versions 8.8.2...

CVE-2025-48999 Dataease Redshift Data Source JDBC Connection Parameters Not Verified Leads to RCE Vulnerability

DataEase is an open source business intelligence and data visualization tool. A bypass of CVE-2025-46566's patch exists in versions prior to 2.10.10. In a malicious payload, getUrlType retrieves hostName. Since the judgment statement returns false, it will not enter the if statement and will not ...