RHEL 7 / 8 / 9 : Red Hat JBoss Enterprise Application Platform 7.4.21 (RHSA-2025:3465)

The remote Redhat Enterprise Linux 7 / 8 / 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2025:3465 advisory. Red Hat JBoss Enterprise Application Platform 7 is a platform for Java applications based on the WildFly application runtime. This...

The XWiki JIRA extension allows data leak through an XXE attack by using a fake JIRA server

Impact If the JIRA macro is installed, any logged in XWiki user could edit his/her user profile wiki page and use that JIRA macro, specifying a fake JIRA URL that returns an XML specifying a DOCTYPE pointing to a local file on the XWiki server host and displaying that file's content in one of the...

WordPress WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms Plugin <= 1.1.3 - Cross Site Request Forgery (CSRF) to Settings Change vulnerability

Cross Site Request Forgery CSRF to Settings Change vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin WP Zendesk for Contact Form 7, WPForms, Elementor, Formidable and Ninja Forms versions = 1.1.3...

WordPress EventON plugin <= 2.4.1 - Local File Inclusion vulnerability

Local File Inclusion vulnerability discovered by Ngô Thiên An ancorn from VNPT-VCI in WordPress Plugin EventON versions = 2.4.1...

SUSE-SU-2025:1141-1 Security update for go1.23

This update for go1.23 fixes the following issues: - Update to go1.23.8 - CVE-2025-22871: Fix an issue with request smuggling through invalid chunked data. bsc1240550...

SUSE CVE-2025-31115

XZ Utils provide a general-purpose data-compression library plus command-line tools. In XZ Utils 5.3.3alpha to 5.8.0, the multithreaded .xz decoder in liblzma has a bug where invalid input can at least result in a crash. The effects include heap use after free and writing to an address based on t...

PT-2025-14819 · Unknown · Phpgurukul E-Diary Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul e-Diary Management System version 1.0 Description: A critical issue affects an unknown functionality of the /login.php file. The manipulation of the logindetail argument leads to SQL injection. This issue can be exploited remotely...

PT-2025-14930 · Unknown · Stylemix Masterstudy Lms

Name of the Vulnerable Software and Affected Versions: Stylemix MasterStudy LMS versions 3.5.23 and earlier Description: The issue is related to an Improper Control of Filename for Include/Require Statement in PHP Program, also known as 'PHP Remote File Inclusion', which allows PHP Local File...

PT-2025-14988 · Unknown · Dimitri Grassi Salon Booking System

Name of the Vulnerable Software and Affected Versions: Dimitri Grassi Salon booking system versions n/a through 10.10.7 Description: The issue is related to a Missing Authorization vulnerability, which allows exploitation due to incorrectly configured access control security levels...

FreeBSD : MongoDB -- crash due to improper validation of explain command (350b3389-107f-11f0-8195-b42e991fc52e)

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 350b3389-107f-11f0-8195-b42e991fc52e advisory. [email protected] reports: When run on commands with certain arguments set, explain may fail to validate...

PT-2025-14933 · WordPress · Coothemes Easy Wp Optimizer

Name of the Vulnerable Software and Affected Versions: coothemes Easy WP Optimizer versions 1.1.0 and earlier Description: The issue is related to a Missing Authorization vulnerability, which allows exploitation of incorrectly configured access control security levels. Recommendations: For versio...

PT-2025-14936 · Php +1 · Php +1

Name of the Vulnerable Software and Affected Versions: Rameez Iqbal Real Estate Manager versions n/a through 7.3 Description: The issue is related to improper control of filename for include/require statement in PHP program, also known as 'PHP Remote File Inclusion', which allows PHP Local File...

CVE-2025-30370 jupyterlab-git has a command injection vulnerability in "Open Git Repository in Terminal"

jupyterlab-git is a JupyterLab extension for version control using Git. On many platforms, a third party can create a Git repository under a name that includes a shell command substitution string in the syntax $. These directory names are allowed in macOS and a majority of Linux distributions. If...

CVE-2025-30676

Improper Neutralization of Script-Related HTML Tags in a Web Page Basic XSS vulnerability in Apache OFBiz. This issue affects Apache OFBiz: before 18.12.19. Users are recommended to upgrade to version 18.12.19, which fixes the issue...

WordPress CM Header and Footer plugin <= 1.2.4 - Cross Site Scripting (XSS) Vulnerability

Cross Site Scripting XSS Vulnerability discovered by Nguyen Xuan Chien in WordPress Plugin CM Header and Footer versions = 1.2.4...

CVE-2025-21995

In the Linux kernel, the following vulnerability has been resolved: drm/sched: Fix fence reference count leak The lastscheduled fence leaks when an entity is being killed and adding the cleanup callback fails. Decrement the reference count of prev when dmafenceaddcallback fails, ensuring proper...

PT-2025-14585

Name of the Vulnerable Software and Affected Versions PHPGurukul Bus Pass Management System version 1.0 Description A critical issue was found in the PHPGurukul Bus Pass Management System, affecting an unknown part of the file /view-pass-detail.php. The manipulation of the viewid argument leads t...

PT-2025-14802 · Totolink · Totolink X18

Name of the Vulnerable Software and Affected Versions: TOTOLINK x18 version 9.1.0cu.2024 B20220329 Description: The issue allows a remote attacker to execute arbitrary code via the sub 410E54 function of the cstecgi.cgi. Recommendations: For TOTOLINK x18 version 9.1.0cu.2024 B20220329, as a...

PT-2025-18663 · Totolink · Totolink Ca600-Poe

Name of the Vulnerable Software and Affected Versions: TOTOLINK CA600-PoE version V5.3c.6665 B20180820 Description: A command injection issue was discovered in the msg process function via the Port parameter. This issue allows attackers to execute arbitrary commands through a manipulated request...

PT-2025-18662 · Totolink · Totolink Ca600-Poe

Name of the Vulnerable Software and Affected Versions: TOTOLINK CA600-PoE version 5.3c.6665 B20180820 Description: The issue is related to a command injection vulnerability in the CloudSrvUserdataVersionCheck function via the version parameter. This allows attackers to execute arbitrary commands ...