PT-2025-23047 · Ibm · Ibm Security Guardium

Name of the Vulnerable Software and Affected Versions: IBM Security Guardium version 12.0 Description: The issue allows a privileged user to download any file on the system due to improper escaping of input. Recommendations: For IBM Security Guardium version 12.0, consider restricting file access...

Advisory ROSA-SA-2025-2864

software: freetype 2.10.4 OS: ROSA-CHROME packageevrstring: freetype-2.10.4-7 CVE-ID: CVE-2025-27363 BDU-ID: 2025-02719 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the FreeType font rasterization library involves reading outside buffer boundaries in memory. Exploitation of the vulnerability coul...

Fedora: Security Advisory (FEDORA-2025-1dc1cd5a87)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Fedora: Security Advisory (FEDORA-2025-538f2e492d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2025-22872 · H3C · H3C Seccenter Smp-E1114P02

Name of the Vulnerable Software and Affected Versions: H3C SecCenter SMP-E1114P02 up to 20250513 Description: A vulnerability has been found in the function Download of the file /packetCaptureStrategy/download. The manipulation of the argument Name leads to path traversal. It is possible to launc...

CVE-2025-5151 defog-ai introspect analysis_tools.py execute_analysis_code_safely code injection

A vulnerability classified as critical has been found in defog-ai introspect up to 0.1.4. This affects the function executeanalysiscodesafely of the file introspect/backend/tools/analysistools.py. The manipulation of the argument code leads to code injection. It is possible to launch the attack o...

PT-2025-22852 · Dedecms · Dedecms

Name of the Vulnerable Software and Affected Versions: DedeCMS version 5.7.117 Description: A critical issue was found in DedeCMS, affecting an unknown function of the file dede/sys verifies.php?action=getfiles. The manipulation of the refiles argument leads to code injection. This issue can be...

CVE-2025-46716

Sandboxie is a sandbox-based isolation software for 32-bit and 64-bit Windows NT-based operating systems. Starting in version 1.3.0 and prior to version 1.15.12, ApiSetSecureParam fails to sanitize incoming pointers, and implicitly trusts that the pointer the user has passed in is safe to read...

CVE-2025-47942

The Open edX Platform is a learning management platform. Prior to commit 6740e75c0fdc7ba095baf88e9f5e4f3e15cfd8ba, edxapp has no built-in protection against downloading the pythonlib.zip asset from courses, which is a concern since it often contains custom grading code or answers to course...

CVE-2025-48063

XWiki is a generic wiki platform. In XWiki 16.10.0, required rights were introduced as a way to limit which rights a document can have. Part of the security model of required rights is that a user who doesn't have a right also cannot define that right as required right. That way, users who are...

CVE-2025-48378

DNN formerly DotNetNuke is an open-source web content management platform CMS in the Microsoft ecosystem. Prior to version 9.13.9, uploaded SVG files could contain scripts and if rendered inline those scripts could run allowing XSS attacks. Version 9.13.9 fixes the issue...

CVE-2025-43860

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into...

CVE-2025-43860 OpemEMR Vulnerable to Stored XSS Attack in the Additional Address Section of Patient Demographics

OpenEMR is a free and open source electronic health records and medical practice management application. A stored cross-site scripting XSS vulnerability in versions prior to 7.0.3.4 allows any authenticated user with patient creation and editing privileges to inject arbitrary JavaScript code into...

CVE-2025-24361

Nuxt is an open-source web development framework for Vue.js. Source code may be stolen during dev when using version 3.0.0 through 3.15.12 of the webpack builder or version 3.12.2 through 3.152 of the rspack builder and a victim opens a malicious web site. Because the request for classic script b...

CVE-2025-24136

This issue was addressed with improved validation of symlinks. This issue is fixed in macOS Sequoia 15.3, macOS Sonoma 14.7.3, macOS Ventura 13.7.3. A malicious app may be able to create symlinks to protected regions of the disk...

CVE-2024-52008

Fides is an open-source privacy engineering platform. The user invite acceptance API endpoint lacks server-side password policy enforcement, allowing users to set arbitrarily weak passwords by bypassing client-side validation. While the UI enforces password complexity requirements, direct API cal...

CVE-2024-48924

Impact When this library is used to deserialize messagepack data from an untrusted source, there is a risk of a denial of service attack by an attacker that sends data contrived to produce hash collisions, leading to large CPU consumption disproportionate to the size of the data being deserialize...

CVE-2024-43027

DrayTek Vigor 3900 before v1.5.1.5Beta, DrayTek Vigor 2960 before v1.5.1.5Beta and DrayTek Vigor 300B before v1.5.1.5Beta were discovered to contain a command injection vulnerability via the action parameter at cgi-bin/mainfunction.cgi...

CVE-2024-48926

Umbraco, a free and open source .NET content management system, has an insufficient session expiration issue in versions on the 13.x branch prior to 13.5.2, 10.x prior to 10.8.7, and 8.x prior to 8.18.15. The Backoffice displays the logout page with a session timeout message before the server...

CVE-2024-47772

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by sending a maliciously crafted chat message and replying to it. This issue only affects sites with CSP disabled. This problem is patched in the latest version of...