CVE-2025-32795

CVE-2025-32795 affects Dify, an open-source LLM app development platform. Prior to version 0.6.12, a misconfigured access control allowed normal/non-admin users to edit app details (names, descriptions, icons) despite not having permission to view apps, compromising integrity. Root cause: insuffi...

CVE-2025-32792 ses's global contour bindings leak into Compartment lexical scope

SES safely executes third-party JavaScript 'strict' mode programs in compartments that have no excess authority in their global scope. Prior to version 1.12.0, web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that hav...

CVE-2025-31120 NamelessMC Vulnerable to Cookie-Based View Count Manipulation

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, an insecure view count mechanism in the forum page allows an unauthenticated attacker to artificially increase the view count. The application relies on a client-side cookie nl-topic-t...

CVE-2025-30357 NamelessMC Forum Topic Deletion Triggered by Unrelated User Deletion

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, if a malicious user is leaving spam comments on many topics then an administrator, unable to manually remove each spam comment, may delete the malicious account. Once an administrator...

CVE-2025-30158 NamelessMC Forum iframe width/height abuse causing UI-based Denial of Service

NamelessMC is a free, easy to use & powerful website software for Minecraft servers. In version 2.1.4 and prior, the forum allows users to post iframe elements inside forum topics/comments/feed with no restriction on the iframe's width and height attributes. This allows an authenticated attacker ...

CVE-2025-27599

Element X Android (Element X Android apps by element.io) is affected prior to version 25.04.2. A crafted hyperlink on a webpage or a locally installed malicious app can cause Element X up to 25.04.1 to load a webpage with permissions similar to Element Call and automatically grant temporary acces...

GHSA-H9W6-F932-GQ62 ses's global contour bindings leak into Compartment lexical scope

Impact Web pages and web extensions using ses and the Compartment API to evaluate third-party code in an isolated execution environment that have also elsewhere used const, let, and class bindings in the top-level scope of a tag will have inadvertently revealed these bindings in the lexical scope...

WordPress Booking and Rental Manager plugin <= 2.3.6 - Broken Access Control vulnerability

Broken Access Control vulnerability discovered by LVT-tholv2k Patchstack Alliance in WordPress Plugin Booking and Rental Manager versions = 2.3.6...

CVE-2025-40114

In the Linux kernel, the following vulnerability has been resolved: iio: light: Add check for array bounds in veml6075readinttimems The array contains only 5 elements, but the index calculated by veml6075readinttimeindex can range from 0 to 7, which could lead to out-of-bounds access. The check...

CVE-2025-37893

In the Linux kernel, the following vulnerability has been resolved: LoongArch: BPF: Fix off-by-one error in buildprologue Vincent reported that running BPF progs with tailcalls on LoongArch causes kernel hard lockup. Debugging the issues shows that the JITed image missing a jirl instruction at th...

PT-2025-17339 · V380 Pro · V380 Pro

Name of the Vulnerable Software and Affected Versions: V380 Pro android application versions 2.1.44 through 2.1.64 Description: The issue in the V380 Pro android application allows an attacker to obtain sensitive information via the QE code based sharing component. Recommendations: For versions...

CVE-2025-27791

Collabora Online is a collaborative online office suite based on LibreOffice technology. In versions prior to 24.04.12.4, 23.05.19, and 22.05.25, there is a path traversal flaw in handling the CheckFileInfo BaseFileName field returned from WOPI servers. This allows for a file to be written anywhe...

CVE-2025-31497

TEIGarage is a webservice and RESTful service to transform, convert and validate various formats, focussing on the TEI format. The Document Conversion Service contains a critical XML External Entity XXE Injection vulnerability in its document conversion functionality. The service processes XML...

WordPress Ultimate Dashboard plugin < 3.8.6 - Admin+ Stored XSS vulnerability

Admin+ Stored XSS vulnerability discovered by Krugov Artyom in WordPress Plugin Ultimate Dashboard versions 3.8.6...

SUSE-SU-2025:1341-1 Security update for docker

This update for docker fixes the following issues: - Update to docker-buildx v0.22.0 - CVE-2025-0495: Fixed an integer overflow in User ID handling in containerd. bsc1239765...

SUSE-SU-2025:1337-1 Security update for apache2-mod_auth_openidc

This update for apache2-modauthopenidc fixes the following issues: - CVE-2025-31492: Fixed a bug where OIDCProviderAuthRequestMethod POSTs can leak protected data. bsc1240893...

WordPress Theme Changer plugin <= 1.4 - Cross Site Request Forgery (CSRF) vulnerability

Cross Site Request Forgery CSRF vulnerability discovered by ch4r0n Patchstack Alliance in WordPress Plugin Theme Changer versions = 1.4...

PT-2025-18305 · NetGear · Netgear Wag302V2

Name of the Vulnerable Software and Affected Versions: Netgear WG302v2 versions up to 5.2.9 Description: A critical issue was found, affecting the function ui get input value. The manipulation of the host argument leads to command injection. This issue can be exploited remotely. The vendor was...

PT-2025-17237 · Unknown · Prison Management System

Name of the Vulnerable Software and Affected Versions: Personal Management System version 1.4.65 Description: An issue in Personal Management System allows a remote attacker to obtain sensitive information via the "Travel Ideas" function. Recommendations: For version 1.4.65, consider disabling th...

PT-2025-17095 · WordPress · Wordpress Health/Server Condition – Integrated With Google Page Speed

Name of the Vulnerable Software and Affected Versions: WordPress Health and Server Condition – Integrated with Google Page Speed versions through 4.1.1 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as Cross-site Scripting. This allows...