Cilium has an information leakage via insecure default Hubble UI CORS header

Impact For users who deploy Hubble UI using either Cilium CLI or via the Cilium Helm chart, an insecure default Access-Control-Allow-Origin header value could lead to sensitive data exposure. A user with access to a Hubble UI instance affected by this issue could leak configuration details about...

7-Zip bug could allow a bypass of a Windows security feature. Update now

A patch is available for a vulnerability in 7-Zip that could have allowed attackers to bypass the Mark-of-the-Web MotW security feature in Windows. The MotW is an attribute added to files by Windows when they have been sourced from an untrusted location, like the internet or a restricted zone. Th...

CVE-2024-45479 Apache Ranger: SSRF in Edit Service page - Add logic to filter requests to localhost

SSRF vulnerability in Edit Service Page of Apache Ranger UI in Apache Ranger Version 2.4.0. Users are recommended to upgrade to version Apache Ranger 2.5.0, which fixes this issue...

Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. Patches Patched in 14.3.2 and 15.1.2. Workarounds None available...

Missing validation of header name and value in codeigniter4/framework

Impact Lack of proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generating invalid HTTP requests. In some cases, these malformed...

XSS/HTML Injection Vulnerability in Umbraco Backoffice Components

Impact Authenticated users are able to exploit an XSS vulnerability when viewing certain localized backoffice components. Patches Will be patched in 14.3.2 and 15.1.2. Note: This issue was reported by Pratik Patil from NetSPI @Nexusss-ppatil...

CVE-2025-24018

YesWiki is a wiki system written in PHP. In versions up to and including 4.4.5, it is possible for an authenticated user with rights to edit/create a page or comment to trigger a stored XSS which will be reflected on any page where the resource is loaded. The vulnerability makes use of the conten...

CVE-2024-57942

In the Linux kernel, the following vulnerability has been resolved: netfs: Fix ceph copy to cache on write-begin At the end of netfsunlockreadfolio in which folios are marked appropriately for copying to the cache either with by being marked dirty and having their private data set or by having...

CVE-2024-57938

In the Linux kernel, the following vulnerability has been resolved: net/sctp: Prevent autoclose integer overflow in sctpassociationinit While by default maxautoclose equals to INTMAX / HZ, one may set net.sctp.maxautoclose to UINTMAX. There is code in sctpassociationinit that can consequently...

PT-2025-4269 · Oracle · Oracle Hospitality Opera 5

Name of the Vulnerable Software and Affected Versions: Oracle Hospitality OPERA 5 versions 5.6.19.20 through 5.6.27.1 Description: This issue allows an unauthenticated attacker with network access via HTTP to compromise Oracle Hospitality OPERA 5. Successful attacks can result in unauthorized...

PT-2025-4816 · Brave · Brave Browser

Name of the Vulnerable Software and Affected Versions: Brave Browser versions 1.70.x through 1.73.x Description: The issue arises from a feature that displays a site's origin on the OS-provided file selector dialog when a site prompts the user to upload or download a file. However, the origin is...

PT-2025-5261

Name of the Vulnerable Software and Affected Versions YesWiki versions up to and including 4.4.5 Description The vulnerability allows any end-user to craft a DOM based XSS on all of YesWiki's pages, which is triggered when a user clicks on a malicious link. This issue makes use of the search by t...

OPENSUSE-SU-2025:14680-1 ruby3.4-rubygem-railties-8.0-8.0.1-1.1 on GA media

These are all security issues fixed in the ruby3.4-rubygem-railties-8.0-8.0.1-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2025-23219 WeGIA has a SQL Injection endpoint 'adicionar_cor.php' parameter 'cor'

WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionarcor.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in t...

CVE-2025-23044 Cross-Site Request Forgery (CSRF) allows creating admin account with POST request

PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit...

CVE-2025-21648

CVE-2025-21648 affects the Linux kernel netfilter conntrack code. The vulnerability arises from the hashtable resize path where the maximum size could exceed practical limits, risking a WARN_ON_ONCE in __kvmalloc_node_noprof() when __GFP_NOWARN is unset. The fix clamps the conntrack hashtable siz...

CVE-2025-21631

CVE-2025-21631 is a Linux kernel UAF issue in the bfq I/O scheduler. The vulnerability arises from a use-after-free involving waker_bfqq after bfq_split_bfqq, leading to slab-use-after-free in bfq_init_rq as shown by the KASAN report. Affected code paths include bfq-iosched.c: bfq_init_rq/bfq_ins...

Fedora 41 : stb (2025-6a64d3b2fc)

The remote Fedora 41 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-6a64d3b2fc advisory. Add another patch for the root cause of CVE-2021-45340. We already have a patch for CVE-2021-45340, but adding this new patch may prevent a related, unproven...

Security update for pam_u2f

This update for pamu2f fixes the following issues: CVE-2025-23013: Fixed problematic PAMIGNORE return values in pamsmauthenticate bsc1233517 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper patch". Alternatively you ca...

GHSA-JHVJ-F397-8W6Q HAL Console has a Cross Site Scripting (XSS) vulnerability of user input

A flaw was found in the HAL Console in the Wildfly component, which does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output used as a web page that is served to other users. The attacker must be authenticated as a user that belongs to management groups...