CVE-2025-3935

CVE-2025-3935 affects ScreenConnect 25.2.3 and earlier, where ViewState code injection can enable remote code execution if machine keys are compromised. The vulnerability stems from platform-level ViewState handling in ASP.NET Web Forms rather than a ScreenConnect flaw. ScreenConnect 2025.4 patch...

CVE-2025-32958

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32433

Erlang/OTP is a set of libraries for the Erlang programming language. Prior to versions OTP-27.3.3, OTP-26.2.5.11, and OTP-25.3.2.20, a SSH server may allow an attacker to perform unauthenticated remote code execution RCE. By exploiting a flaw in SSH protocol message handling, a malicious actor...

CVE-2025-31118

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, forum quick reply feature viewtopic.php does not implement any spam prevention mechanism. This allows authenticated users to continuously post replies without any time restriction,...

CVE-2025-32432

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity...

GHSA-733V-P3H5-QPQ7 GraphQL Armor Cost-Limit Plugin Bypass via Introspection Query Obfuscation

Summary A query cost restriction using the cost-limit can be bypassed if ignoreIntrospection is enabled which is the default configuration by naming your query/fragment schema. Details At the start of the computeComplexity function, we have the following check for ignoreIntrospection option: ts i...

CVE-2025-43862

CVE-2025-43862 relates to Dify, an open-source LLM app development platform. Prior to version 0.6.12, a normal (non-admin) user could access and modify APP orchestration despite UI restrictions, due to an access-control flaw. This could allow unauthorized access and changes to APPs. The issue is ...

CVE-2025-32432 Craft CMS Allows Remote Code Execution

Craft is a flexible, user-friendly CMS for creating custom digital experiences on the web and beyond. Starting from version 3.0.0-RC1 to before 3.9.15, 4.0.0-RC1 to before 4.14.15, and 5.0.0-RC1 to before 5.6.17, Craft is vulnerable to remote code execution. This is a high-impact, low-complexity...

CVE-2025-32432

CVE-2025-32432 affects Craft CMS across 3.x (3.0.0-RC1–3.9.14), 4.x (4.0.0-RC1–4.14.14), and 5.x (5.0.0-RC1–5.6.16). The vulnerability is a remote code execution via insecure deserialization in the asset transform path (notably /actions/assets/generate-transform) that can be triggered by crafted ...

PT-2025-17894 · WordPress · 1 Decembrie 1918

Name of the Vulnerable Software and Affected Versions: 1 Decembrie 1918 plugin for WordPress versions up to, and including, 1.dec.2012 Description: The issue is related to Cross-Site Request Forgery due to missing or incorrect nonce validation on the "1-decembrie-1918/1-decembrie-1918.php" page...

PT-2025-17898 · WordPress · Jobsearch Wp Job Board

Name of the Vulnerable Software and Affected Versions: JobSearch WP Job Board plugin for WordPress versions prior to 2.8.9 Description: The issue is related to authentication bypass due to improper configurations in the jobsearch xing response data callback, set access tokes, and google callback...

AIX (IJ54061)

The version of AIX installed on the remote host is prior to APAR IJ54061. It is, therefore, affected by a vulnerability as referenced in the IJ54061 advisory. - xmlXIncludeAddNode in xinclude.c in libxml2 before 2.11.0 has a use-after-free. CVE-2022-49043 Note that Nessus has not tested for this...

CVE-2025-43861

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes"...

CVE-2025-43861 ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes"...

CVE-2025-43861 ManageWiki Vulnerable to Self-XSS in review dialog via unsanitized field reflection

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 2f177dc, ManageWiki is vulnerable to reflected or stored XSS in the review dialog. A logged-in attacker must change a form field to include a malicious payload. If that same user then opens the "Review Changes"...

WordPress Media Library Downloader plugin <= 1.3.1 - Broken Access Control Vulnerability

Broken Access Control Vulnerability discovered by ch4r0n in WordPress Plugin Media Library Downloader versions = 1.3.1...

Security update for MozillaThunderbird

This update for MozillaThunderbird fixes the following issues: Mozilla Thunderbird 128.9.2 bsc1241277 CVE-2025-3522: Leak of hashed Window credentials via crafted attachment URL CVE-2025-2830: Information Disclosure of /tmp directory listing CVE-2025-3523: User Interface UI Misrepresentation of...

CVE-2025-27820 Apache HttpComponents: PSL (Public Suffix List) validation bypass

A bug in PSL validation logic in Apache HttpClient 5.4.x disables domain checks, affecting cookie management and host name verification. Discovered by the Apache HttpClient team. Fixed in the 5.4.3 release...

PT-2025-17717

Name of the Vulnerable Software and Affected Versions Flynax Bridge plugin for WordPress versions up to, and including, 2.2.0 Description The issue is related to privilege escalation via account takeover due to the plugin not properly validating a user's identity prior to updating their details,...

CVE-2025-21605

Redis is an open source, in-memory database that persists on disk. In versions starting at 2.6 and prior to 7.4.3, An unauthenticated client can cause unlimited growth of output buffers, until the server runs out of memory or is killed. By default, the Redis configuration does not limit the outpu...