CVE-2025-48953

Umbraco is an ASP.NET content management system CMS. Starting in version 14.0.0 and prior to versions 15.4.2 and 16.0.0, it's possible to upload a file that doesn't adhere with the configured allowable file extensions via a manipulated API request. The issue is patched in versions 15.4.2 and...

CVE-2025-48998 Dataease MYSQL JDBC File Reading Vulnerability

DataEase is an open source business intelligence and data visualization tool. Prior to version 2.10.6, a bypass of the patch for CVE-2025-27103 allows authenticated users to read and deserialize arbitrary files through the background JDBC connection. The vulnerability has been fixed in v2.10.10. ...

CVE-2025-48953

Umbraco CMS (ASP.NET) has a file-upload bypass vulnerability: in versions 14.0.0 up to but not including 15.4.2 and 16.0.0, an API request can be manipulated to upload a file that doesn’t conform to the configured allowed extensions. The issue is fixed in 15.4.2 and 16.0.0. There are no publicly ...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

CVE-2025-30359 webpack-dev-server users' source code may be stolen when they access a malicious web site

webpack-dev-server allows users to use webpack with a development server that provides live reloading. Prior to version 5.2.1, webpack-dev-server users' source code may be stolen when they access a malicious web site. Because the request for classic script by a script tag is not subject to same...

quic-go Has Panic in Path Probe Loss Recovery Handling

Impact The loss recovery logic for path probe packets that was added in the v0.50.0 release can be used to trigger a nil-pointer dereference by a malicious QUIC client. In order to do so, the attacker first sends valid QUIC packets from different remote addresses thereby triggering the newly adde...

PT-2025-23622 · Unicom · Unicom Focal Point

Name of the Vulnerable Software and Affected Versions: Unicom Focal Point version 7.6.1 Description: A Cross Site Scripting issue was found. The val parameter in SettingController for the "/fp/admin/settings/loginpage" endpoint and the rootserviceurl parameter in FriendsController for the...

PT-2025-23872 · D Link · D-Link Dir-816

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 version 1.10CNB05 Description: A critical issue was found in the function setipsec config of the file /goform/setipsec config. The manipulation of the arguments localIP and remoteIP leads to os command injection. It is possible...

PT-2025-23873 · D Link · D-Link Dir-816

Name of the Vulnerable Software and Affected Versions: D-Link DIR-816 version 1.10CNB05 Description: A critical issue has been discovered, affecting the qosClassifier function of the file /goform/qosClassifier. The manipulation of the arguments dip address and sip address leads to os command...

CVE-2025-48996 Unauthenticated Disclosure of PSU HAX CMS Site Listings via haxPsuUsage API Endpoint

HAX open-apis provides microservice apis for HAX webcomponents repo that are shared infrastructure calls. An unauthenticated information disclosure vulnerability exists in the Penn State University deployment of the HAX content management system via the haxPsuUsage API endpoint, related to a flat...

CVE-2025-47272

The CE Phoenix eCommerce platform, starting in version 1.0.9.7 and prior to version 1.1.0.3, allowed logged-in users to delete their accounts without requiring password re-authentication. An attacker with temporary access to an authenticated session e.g., on a shared/public machine could...

CVE-2025-48494

Gokapi is a self-hosted file sharing server with automatic expiration and encryption support. When using end-to-end encryption, a stored cross-site scripting vulnerability can be exploited by uploading a file with JavaScript code embedded in the filename. After upload and every time someone opens...

CVE-2025-5455 Possible denial of service when passing malformed data in a URL to qDecodeDataUrl

An issue was found in the private API function qDecodeDataUrl in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value such as...

Android Automotive OS Update Bulletin—June 2025Stay organized with collectionsSave and categorize content based on your preferences.

The Android Automotive OS AAOS Update Bulletin contains details of security vulnerabilities affecting the Android Automotive OS platform. The full AAOS update comprises the security patch level of 2025-06-05 or later from the June 2025 Android Security Bulletin in addition to all issues in this...

CVE-2025-5411

A vulnerability was found in Mist Community Edition up to 4.7.1. It has been rated as problematic. This issue affects the function tagresources of the file src/mist/api/tag/views.py. The manipulation of the argument tag leads to cross site scripting. The attack may be initiated remotely. The...

CVE-2025-5411 Mist Community Edition views.py tag_resources cross site scripting

A vulnerability was found in Mist Community Edition up to 4.7.1. It has been rated as problematic. This issue affects the function tagresources of the file src/mist/api/tag/views.py. The manipulation of the argument tag leads to cross site scripting. The attack may be initiated remotely. The...

CVE-2025-48883

Chrome PHP allows users to start playing with chrome/chromium in headless mode from PHP. Prior to version 1.14.0, CSS Selector expressions are not properly encoded, which can lead to XSS cross-site scripting vulnerabilities. This is patched in v1.14.0. As a workaround, users can apply encoding...

CVE-2025-48488

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting XSS vulnerability. This issue has been patch...

CVE-2025-48481

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invitehash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link fro...

CVE-2025-48491

Project AI is a platform designed to create AI agents. Prior to the pre-beta version, a hardcoded API key was present in the source code. This issue has been patched in the pre-beta version...