PT-2025-12544 · Unknown · Project Worlds Online Time Table Generator

Name of the Vulnerable Software and Affected Versions: Project Worlds Online Time Table Generator version 1.0 Description: A critical vulnerability was found in Project Worlds Online Time Table Generator. This affects an unknown part of the file /student/index.php. The manipulation of the argumen...

PT-2025-12479 · WordPress · Export/Import Users/Customers

Name of the Vulnerable Software and Affected Versions: Export and Import Users and Customers plugin for WordPress versions prior to 2.6.3 Description: The issue is related to insufficient file path validation in the admin log page function, allowing authenticated attackers with Administrator-leve...

CVE-2025-29926

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent...

GHSA-837Q-JHWX-CMPV Parse Server has an OAuth login vulnerability

Impact The 3rd party authentication handling of Parse Server allows the authentication credentials of some specific authentication providers to be used across multiple Parse Server apps. For example, if a user signed up using the same authentication provider in two unrelated Parse Server apps, th...

DEBIAN-CVE-2025-2591

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function MDLImporter::InternReadFileQuake1 of the file code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument skinwidth/skinheight leads to divide by zero. The...

CVE-2025-2598

CVE-2025-2598 (AWS CDK CLI) : When using the AWS CDK CLI with a credential plugin that returns an expiration property, credentials may be printed to console output. The issue is mitigated by upgrading to version 2.178.2 or later and patching any forked/derivative code. Public references indicate ...

CVE-2025-2591 Open Asset Import Library Assimp MDLLoader.cpp InternReadFile_Quake1 divide by zero

A vulnerability classified as problematic was found in Open Asset Import Library Assimp 5.4.3. This vulnerability affects the function MDLImporter::InternReadFileQuake1 of the file code/AssetLib/MDL/MDLLoader.cpp. The manipulation of the argument skinwidth/skinheight leads to divide by zero. The...

CVE-2025-29922 kcp allows unauthorized creation and deletion of objects in arbitrary workspaces through APIExport Virtual Workspace

kcp is a Kubernetes-like control plane for form-factors and use-cases beyond Kubernetes and container workloads. Prior to 0.26.3, the identified vulnerability allows creating or deleting an object via the APIExport VirtualWorkspace in any arbitrary target workspace for pre-existing resources. By...

CVE-2024-9699 Cross-Site Scripting (XSS) in flatpressblog/flatpress

A vulnerability in the file upload functionality of the FlatPress CMS admin panel version latest allows an attacker to upload a file with a JavaScript payload disguised as a filename. This can lead to a Cross-Site Scripting XSS attack if the uploaded file is accessed by other users. The issue is...

PT-2025-12376

Name of the Vulnerable Software and Affected Versions Esri ArcGIS Enterprise versions 10.9.1 through 11.4 Description A specific type of ArcGIS Enterprise deployment is vulnerable to a password recovery exploitation vulnerability in Portal, which could allow an attacker to reset the password on t...

H2O Deserialization of Untrusted Data Vulnerability

A vulnerability in the h2oai/h2o-3 REST API versions 3.46.0.4 allows unauthenticated remote attackers to execute arbitrary code via deserialization of untrusted data. The vulnerability exists in the endpoints POST /99/ImportSQLTable and POST /3/SaveToHiveTable, where user-controlled JDBC URLs are...

PT-2025-12236 · Unknown · Modelscope/Agentscope

Name of the Vulnerable Software and Affected Versions: modelscope/agentscope versions prior to the fix Description: A path traversal vulnerability exists in the save-workflow and load-workflow functionality. This vulnerability allows an attacker to read and write arbitrary JSON files on the...

Azure Linux 3.0 Security Update: kernel (CVE-2024-56593)

The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-56593 advisory. - In the Linux kernel, the following vulnerability has been resolved: wifi: brcmfmac: Fix oops due to NULL...

PT-2025-12087 · Unknown · Gpt Academic

Name of the Vulnerable Software and Affected Versions: GPT Academic version 3.83 Description: The issue concerns a Local File Read LFI vulnerability through the HotReload function, which can download and extract tar.gz files from arxiv.org. Despite protections against path traversal, the...

PT-2025-12198 · Unknown · Open-Webui

Name of the Vulnerable Software and Affected Versions: open-webui/open-webui version 0.3.8 Description: The issue concerns a Server-Side Request Forgery SSRF vulnerability. Specifically, the /openai/models endpoint is affected, allowing an attacker to change the OpenAI URL to any URL without...

Azure Linux 3.0 Security Update: kernel (CVE-2024-48881)

"The version of kernel installed on the remote Azure Linux 3.0 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the CVE-2024-48881 advisory. - In the Linux kernel, the following vulnerability has been resolved: bcache: revert replacing ISERRORNULL wi...

GHSA-22Q5-9PHM-744V XWiki allows unregistered users to access private pages information through REST endpoint

Impact Protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent unregistered user to view pages": the endpoint would still list the pages of the...

XWiki uses the wrong wiki reference in AuthorizationManager

Impact It's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The vulnerability only affects subwikis, and it only concerns specific right options such as...

CVE-2025-29925

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, protected pages are listed when requesting the REST endpoints /rest/wikis/wikiName/pages even if the user doesn't have view rights on them. It's particularly true if the entire wiki is protected with "Prevent...