CVE-2025-47288 Discourse Policy plugin private group members visible

Discourse Policy plugin gives the ability to confirm users have seen or done something. Prior to version 0.1.1, if there was a policy posted to a public topic that was tied to a private group then the group members could be shown to non-group members. This issue has been patched in version 0.1.1....

CVE-2025-46823 OpenMRS has Vulnerability in FHIR2 Module Privileges

openmrs-module-fhir2 provides the FHIR REST API and related services for OpenMRS, an open medical records system. In versions of the FHIR2 module prior to 2.5.0, privileges were not always correctly checked, which means that unauthorized users may have been able to add or edit data they were not...

CVE-2025-48057

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate function can be tricked into incorrectly treating certificates as vali...

CVE-2025-46722 vLLM has a Weakness in MultiModalHasher Image Hashing Implementation

vLLM is an inference and serving engine for large language models LLMs. In versions starting from 0.7.0 to before 0.9.0, in the file vllm/multimodal/hasher.py, the MultiModalHasher class has a security and data integrity issue in its image hashing method. Currently, it serializes PIL.Image.Image...

CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First Token. These timing differences...

CVE-2025-48475

CVE-2025-48475 affects FreeScout prior to version 1.8.180. The issue arises from missing checks on which "clients" an authorized user can view or edit, allowing a user without access to any mailboxes or conversations to view/edit the System’s clients. The root cause is the absence of enforcement ...

CVE-2025-48474

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with showonlyassignedconversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have...

CVE-2025-48389

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the ge...

CVE-2025-48473

CVE-2025-48473 affects FreeScout prior to v1.8.179: when creating a conversation from a message in another conversation, the system does not validate that the user has view permissions, allowing access to arbitrary messages across mailboxes/conversations. The restriction enforced by show_only_ass...

CVE-2025-48473 FreeScout Vulnerable to Insufficient Authorization

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other...

CVE-2025-48472 FreeScout Vulnerable to Insufficient Authorization

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, there is no check to ensure that the user is disabling notifications for the mailbox to which they already have access. Moreover, the code explicitly implements functionality that if the user does not have...

CVE-2025-48389 FreeScout Vulnerable to Deserialization of Untrusted Data

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to deserialization of untrusted data due to insufficient validation. Through the set function, a string with a serialized object can be passed, and when getting an option through the ge...

CVE-2025-48389

CVE-2025-48389 affects FreeScout prior to version 1.8.178. The issue arises from deserialization of untrusted data when using the set function to pass a serialized object string, and deserialization occurs when retrieving an option via the get method, enabling arbitrary code execution. This vulne...

CVE-2025-37998

In the Linux kernel, the following vulnerability has been resolved: openvswitch: Fix unsafe attribute parsing in outputuserspace This patch replaces the manual Netlink attribute iteration in outputuserspace with nlaforeachnested, which ensures that only well-formed attributes are processed...

CVE-2025-37998

CVE-2025-37998: Open vSwitch Netlink attribute parsing is the vulnerability. The Debian/Amazon/Linux advisories confirm the issue exists in the Linux kernel openvswitch output_userspace path and fix by replacing the manual Netlink attribute iteration with nla_for_each_nested(), ensuring only well...

SUSE-SU-2025:01748-1 Security update for postgresql15

This update for postgresql15 fixes the following issues: Upgrade to 15.13: - CVE-2025-4207: Fixed PostgreSQL GB18030 encoding validation can read one byte past end of allocation for text that fails validation bsc1242931 Changelog: https://www.postgresql.org/docs/release/15.13/...

Security update for go1.24

This update for go1.24 fixes the following issues: Update to go1.24.3 bsc1236217: Security fixes: CVE-2025-22873: Fixed os.Root permits access to parent directory bsc1242715 Changelog: go73556 go73555 security: fix CVE-2025-22873 os: Root permits access to parent directory go73082 os: Root.Open...

CVE-2025-48388 FreeScout Has Insufficient Protection Against CRLF-injection

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an attacker can pass a string containing special symbols \r, \n,...

PT-2025-23180 · Unknown · Openknowledgemaps Head Start

Name of the Vulnerable Software and Affected Versions: OpenKnowledgeMaps Headstart version 7 Description: An issue in OpenKnowledgeMaps Headstart allows a remote attacker to escalate privileges via the url parameter of the "getPDF.php" component. Recommendations: For OpenKnowledgeMaps Headstart...

CVE-2025-22872 affecting package kubernetes for versions less than 1.30.10-7

CVE-2025-22872 affecting package kubernetes for versions less than 1.30.10-7. A patched version of the package is available...