EUVD-2024-30455

Malicious code in bioql PyPI...

CVE-2025-54428

RevelaCode is an AI-powered faith-tech project that decodes biblical verses, prophecies and global events into accessible language. In versions below 1.0.1, a valid MongoDB Atlas URI with embedded username and password was accidentally committed to the public repository. This could allow...

CVE-2024-47825

Cilium is a networking, observability, and security solution with an eBPF-based dataplane. Starting in version 1.14.0 and prior to versions 1.14.16 and 1.15.10, a policy rule denying a prefix that is broader than /32 may be ignored if there is a policy rule referencing a more narrow prefix CIDRSe...

CVE-2025-47934

OpenPGP.js CVE-2025-47934 affects versions prior to 5.11.3 and 6.1.1, where a maliciously modified message can cause openpgp.verify or openpgp.decrypt to return a valid signature verification while the data may not have been signed. This affects inline-signed messages and signed-and-encrypted mes...

Shopware default newsletter opt-in settings allow for mass sign-up abuse

Impact Currently the default settings for double-opt-in allow for mass unsolicited newsletter sign-ups without confirmation. Default settings are: Newsletter: Double Opt-in - active Newsletter: Double opt-in for registered customers - disabled Log-in & sign-up: Double opt-in on sign-up - disabled...

PT-2025-9821

Name of the Vulnerable Software and Affected Versions Kibana versions 8.15.0 through 8.17.2 Description Prototype pollution in Kibana leads to arbitrary code execution via a crafted file upload and specifically crafted HTTP requests. In Kibana versions = 8.15.0 and 8.17.1, this is exploitable by...

CVE-2025-25300

smartbanner.js is a customizable smart app banner for iOS and Android. Prior to version 1.14.1, clicking on smartbanner View link and navigating to 3rd party page leaves window.opener exposed. It may allow hostile third parties to abuse window.opener, e.g. by redirection or injection on the...

CVE-2025-25300

CVE-2025-25300 concerns smartbanner.js (pre-1.14.1) where clicking the View link could expose window.opener to a 3rd party page, enabling possible redirection or script manipulation on the original page. The issue is addressed in version 1.14.1 by automatically applying rel="noopener" to links. I...

Possible Content Security Policy bypass in Action Dispatch

There is a possible Cross Site Scripting XSS vulnerability in the contentsecuritypolicy helper in Action Pack. Impact Applications which set Content-Security-Policy CSP headers dynamically from untrusted user input may be vulnerable to carefully crafted inputs being able to inject new directives...

Multiple vulnerabilities in KONICA MINOLTA MFPs and printing systems

Overview Multi-function printers MFP and printing systems provided by KONICA MINOLTA, INC. contain multiple vulnerabilities listed below. Incorrect authorization CWE-863 - CVE-2021-20868 Exposure of sensitive information to an unauthorized actor CWE-200 - CVE-2021-20869 Improper handling of...

Clientless SSL VPNs Break Web Browser Security Models

Clientless SSL VPN products from multiple vendors operate in a way that breaks fundamental browser security mechanisms, according to a warning from the U.S. Computer Emergency Response Team US-CERT. This security problem, discussed since at least 2006, could let an attacker could use these device...

ACROS Security: Poisoning Cached HTTPS Documents in Internet Explorer

Below please find our public report for the HTTPS cache poisoning issue in Internet Explorer. It includes workarounds for server operators, allowing them to protect their web services without having to rely on users to patch their browsers. Regards, ACROS Security http://www.acrossecurity.com...

linux kmod/ptrace bug - details

Hello There are many discussions on slashdot for example on the recent linux ptrace & kmod bug. I'll try to clarify what is this all about. It's a local root vulnerability. It's exploitable only if: 1. the kernel is built with modules and kernel module loader enabled and 2...

solaris 2.6, 7 yppasswd vulnerability

Vulnerability Report Vulnerability: Buffer overflow in yppasswd service Affects: Solaris 6, 7 SPARC tested, x86 unknown Exploit: In circulation http://www.hack.co.za/ Vendor Patch: Not yet. Various people have contacted Sun about this. No official word yet. Workarounds supplied included. Credits:...