CVE-2025-32951 io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends...

CVE-2025-32952 io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files...

CVE-2025-32964 ManageWiki vulnerable to permission bypass when disabling extensions requiring certain permissions in Special:ManageWiki/extensions

ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. ...

CVE-2025-32963 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it...

CVE-2025-32963 Minio Operator uses Kubernetes apiserver audience for AssumeRoleWithWebIdentity STS

MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the spec.audiences field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it...

CVE-2025-32950 io.jmix.localfs:jmix-localfs has a Path Traversal in Local File Storage

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, attackers could manipulate the FileRef parameter to access files on the system where the Jmix application is deployed, provided the application server...

CVE-2025-32788 OctoPrint Authenticated Reverse Proxy Page Authentication Bypass

OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential...

CVE-2025-32788

CVE-2025-32788 – OctoPrint Up to version 1.10.3, OctoPrint could bypass the login redirect and directly access rendered HTML of certain frontend pages by abusing authentication checks. The issue centers on the frontend authentication flow, notably functions like require_login, require_login_with,...

GHSA-F3GV-CWWH-758M io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

Impact The local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. The severity of the...

GHSA-X27V-F838-JH93 io.jmix.rest:jmix-rest allows XSS in the /files Endpoint of the Generic REST API

Impact The input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be...

OctoPrint Authenticated Reverse Proxy Page Authentication Bypass

Impact OctoPrint versions up until and including 1.10.3 contain a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The impact on data exposure is minimal because, typically, data is loaded via API requests that...

GHSA-QW93-H6PF-226X OctoPrint Authenticated Reverse Proxy Page Authentication Bypass

Impact OctoPrint versions up until and including 1.10.3 contain a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The impact on data exposure is minimal because, typically, data is loaded via API requests that...

CVE-2025-32728 affecting package openssh for versions less than 9.8p1-4

CVE-2025-32728 affecting package openssh for versions less than 9.8p1-4. A patched version of the package is available...

CVE-2024-12243 affecting package gnutls for versions less than 3.8.3-4

CVE-2024-12243 affecting package gnutls for versions less than 3.8.3-4. A patched version of the package is available...

CVE-2025-3616

The Greenshift – animation and page builder blocks WordPress plugin (versions 11.4–11.4.5) is vulnerable to an authenticated arbitrary file upload due to missing file type validation in gspb_make_proxy_api_request(), allowing Subscriber+ users to upload files on the server and potentially achieve...

PT-2025-17845

Name of the Vulnerable Software and Affected Versions SAP NetWeaver versions prior to September 2025 Description A critical remote code execution issue exists in the SAP NetWeaver Development Server, specifically within the Visual Composer tool's Metadata Uploader function. The flaw is caused by...

PT-2025-17578 · Tcpwave · Tcpwave Ddi

Name of the Vulnerable Software and Affected Versions: TCPWave DDI version 11.34P1C2 Description: The issue allows for Remote Code Execution via Unrestricted File Upload combined with Path Traversal. Recommendations: For TCPWave DDI version 11.34P1C2, consider restricting access to file upload...

PT-2025-17572 · Totolink · Totolink Ex1200T

Name of the Vulnerable Software and Affected Versions: TOTOLINK EX1200T version 4.1.2cu.5232 B20210713 Description: The issue concerns a pre-auth remote command execution vulnerability in the setUpgradeFW function through the FileName parameter. This allows for remote command execution without...

PT-2025-17568 · Totolink · Totolink A950Rg +3

Name of the Vulnerable Software and Affected Versions: TOTOLINK A830R version 4.1.2cu.5182 B20201102 TOTOLINK A950RG version 4.1.2cu.5161 B20200903 TOTOLINK A3000RU version 5.9c.5185 B20201128 TOTOLINK A3100R version 4.1.2cu.5247 B20211129 Description: A buffer overflow vulnerability was discover...

PT-2025-17522

Name of the Vulnerable Software and Affected Versions The Ocean Extra plugin for WordPress versions up to, and including, 2.4.6 Description The issue is related to arbitrary shortcode execution. It occurs because the software does not properly validate a value before running do shortcode, allowin...