Debian: Security Advisory (DLA-4128-1)

The remote host is missing an update for the Debian SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

PT-2025-16267 · Ibm · Ibm Aspera Console

Name of the Vulnerable Software and Affected Versions: IBM Aspera Console versions 3.4.0 through 3.4.4 Description: This issue allows users to embed arbitrary JavaScript code in the Web UI, altering the intended functionality and potentially leading to credentials disclosure within a trusted...

PT-2025-16236 · Projectworlds · Online Food Ordering System

Name of the Vulnerable Software and Affected Versions: projectworlds Online Food Ordering System version 1.0 Apache Struts versions 2.5.26 and earlier Description: A critical issue has been found, allowing for remote exploitation. In the case of projectworlds Online Food Ordering System, an unkno...

Security Bulletin: Vulnerability in certifi affects IBM Cloud Pak for Data System 2.0 (CPDS 2.0) [CVE-2022-23491]

Summary The certifi package is used by IBM Cloud Pak for Data System 2.0 . IBM Cloud Pak for Data System 2.0 has addressed the applicable CVE CVE-2022-23491 Vulnerability Details CVEID:CVE-2022-23491 DESCRIPTION: An unspecified error in with TrustCor's ownership also operated a business that...

PT-2025-16179 · Unknown · Youdiancms

Name of the Vulnerable Software and Affected Versions: YouDianCMS version 9.5.21 Description: A vulnerability has been found in YouDianCMS, affecting some unknown processing of the file /App/Tpl/Admin/Default/Channel/index.html. The manipulation of the argument Parent leads to cross-site scriptin...

CVE-2025-32382

Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase either updating a password or changing password to private key or vice versa, Metabase would not always purge older Snowflake connection details from the...

CVE-2025-1386- Query smuggling in ch-go library

Impact When using the ch-go library, under a specific condition when the query includes a large, uncompressed malicious external data, it is possible for an attacker in control of such data to smuggle another query packet into the connection stream. Patches If you are using ch-go library, we...

Formie has XSS vulnerability for email notification content for preview

Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means a delivered email. This would require access to the form's email notification settings. Patches This ha...

GHSA-2XM2-23FF-P8WW Formie has XSS vulnerability for email notification content for preview

Impact It is possible to inject malicious code into the HTML content of an email notification, which is then rendered on the preview. There is no issue when rendering the email via normal means a delivered email. This would require access to the form's email notification settings. Patches This ha...

Formie has XSS vulnerability for importing forms

Impact When importing a form from JSON, if the field label or handle contained malicious content, the output wasn't correctly escaped when viewing a preview of what was to be imported. As imports are undertaking primarily by users who have themselves exported the form from one environment to...

WordPress QuadMenu plugin <= 3.2.0 - Cross-Site Request Forgery to Limited User Meta Update vulnerability

Cross-Site Request Forgery to Limited User Meta Update vulnerability discovered by Peter Thaleikis in WordPress Plugin QuadMenu versions = 3.2.0...

SurrealDB CPU exhaustion via custom functions result in total DoS

SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement A custom database function comprises a name together with a function body. In the function body, the user...

GHSA-PXW4-94J3-V9PF SurrealDB CPU exhaustion via custom functions result in total DoS

SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement A custom database function comprises a name together with a function body. In the function body, the user...

GHSA-3633-G6MG-P6QQ SurrealDB memory exhaustion via string::replace using regex

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memor...

SurrealDB memory exhaustion via string::replace using regex

An authenticated user can craft a query using the string::replace function that uses a Regex to perform a string replacement. As there is a failure to restrict the resulting string length, this enables an attacker to send a string::replace function to the SurrealDB server exhausting all the memor...

SurrealDB server-takeover via SurrealQL injection on backup import

The SurrealDB command-line tool allows exporting databases through the export command. It was discovered that table or field names are not properly sanitized in exports, leading to a SurrealQL injection when the backup is reimported. For the injection to occur, an authenticated System User with...

PT-2025-16280 · Unknown · Meshtastic

Name of the Vulnerable Software and Affected Versions: Meshtastic versions prior to 2.6.2 Description: Meshtastic is an open source mesh networking solution. A fault in the handling of mesh packets containing invalid protobuf data can result in an attacker-controlled buffer overflow, allowing an...

PT-2025-16150 · Crates.Io · Surrealdb

SurrealDB allows authenticated users with OWNER or EDITOR permissions at the root, database or namespace levels to define their own database functions using the DEFINE FUNCTION statement A custom database function comprises a name together with a function body. In the function body, the user...

PT-2025-16060 · Unknown · Sandeep Verma Html5 Video Player With Playlist

Name of the Vulnerable Software and Affected Versions: Sandeep Verma HTML5 Video Player with Playlist versions 2.50 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for Reflected Cross-site Scripting XSS. This enables...

Dell Client BIOS Stack-based Buffer Overflow (DSA-2025-088)

Dell Client Platform BIOS contains a Stack-based Buffer Overflow Vulnerability. A high privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution. Note that Nessus has not tested for this issue but has instead relied only on the...