ROOT-OS-UBUNTU-2204-CVE-2023-25564 CVE-2023-25564 in rootio-gss-ntlmssp - Patched by Root

Root has patched CVE-2023-25564 in the rootio-gss-ntlmssp package for Root:Ubuntu:22.04. Multiple fixed versions available...

Wear OS Security Bulletin—December 2025Stay organized with collectionsSave and categorize content based on your preferences.

The Wear OS Security Bulletin contains details of security vulnerabilities affecting the Wear OS platform. The full Wear OS update comprises the security patch level of 2025-12-05 or later from the December 2025 Android Security Bulletin in addition to all issues in this bulletin. We encourage al...

CVE-2025-66289

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application does not invalidate existing sessions when a user is disabled or when a password change occurs, allowing active session cookies to remain valid indefinitely. As a result, a disabled user, o...

CVE-2025-58436

OpenPrinting CUPS is an open source printing system for Linux and other Unix-like operating systems. Prior to version 2.4.15, a client that connects to cupsd but sends slow messages, e.g. only one byte per second, delays cupsd as a whole, such that it becomes unusable by other clients. This issue...

CVE-2025-66290

OrangeHRM CVE-2025-66290 affects versions 5.0–5.7. The recruitment attachment retrieval endpoint does not enforce authorization checks, allowing any authenticated user (even with ESS-level access) to access candidate attachments. The endpoint validates the session but does not verify recruitment ...

EUVD-2025-199894

Kiteworks is a private data network PDN. Prior to version 9.1.0, improper input validation when managing roles of a shared folder could lead to unexpectedly elevate another user's permissions on the share. This issue has been patched in version 9.1.0...

EUVD-2025-199889

Retro is an online platform providing items of vintage collections. Prior to version 2.4.7, Retro is vulnerable to a cross-site scripting XSS in the input handling component. This issue has been patched in version 2.4.7...

CVE-2025-66027

CVE-2025-66027 describes an information disclosure in Rallly prior to 4.5.6. The vulnerability allows disclosure of participant details (names and email addresses) through the endpoints /api/trpc/polls.get and polls.participants.list, even when Pro privacy features are enabled. The root cause is ...

CVE-2025-65113 ClipBucket v5 Unauthenticated Object Flagging Vulnerability

ClipBucket v5 is an open source video sharing platform. Prior to version 5.5.2 - 164, an authorization bypass vulnerability in the AJAX flagging system allows any unauthenticated user to flag any content users, videos, photos, collections on the platform. This can lead to mass flagging attacks,...

PT-2025-48368

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application’s recruitment attachment retrieval endpoint does not enforce the required authorization checks before serving candidate files. Even users restricted to ESS-level access, who have no...

PT-2025-48354

Name of the Vulnerable Software and Affected Versions Retro versions prior to 2.4.7 Description Retro, an online platform for vintage collections, has a cross-site scripting XSS issue in the input handling component. This allows for potential malicious code execution through crafted input...

PT-2025-48361

Name of the Vulnerable Software and Affected Versions Kiteworks MFT versions prior to 9.1.0 Description Kiteworks MFT orchestrates end-to-end file transfer workflows. Versions of Kiteworks MFT before 9.1.0 have an issue where an incorrectly specified destination in a communication channel could...

PT-2025-48357

Name of the Vulnerable Software and Affected Versions Kiteworks MFT versions prior to 9.1.0 Description Kiteworks MFT orchestrates end-to-end file transfer workflows. A flaw exists where a user’s active session may not properly time out due to inactivity under certain circumstances. This issue wa...

CVE-2025-64515

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...

OESA-2025-2751 cups-filters security update

This project provides backends, filters, and other software that was once part of the core CUPS distribution but is no longer maintained by Apple Inc. In addition it contains additional filters and software developed independently of Apple, especially filters for the PDF-centric printing workflow...

Security update for python311

This update for python311 fixes the following issues: Update to 3.11.14: CVE-2025-6075: Fixed simple quadratic complexity vulnerabilities of os.path.expandvars bsc1252974 CVE-2025-8291: Fixed validity of the ZIP64 End of Central Directory EOCD not checked by the 'zipfile' module bsc1251305 Patch...

ROOT-OS-DEBIAN-12-CVE-2025-64720 CVE-2025-64720 in rootio-libpng1.6 - Patched by Root

Root has patched CVE-2025-64720 in the rootio-libpng1.6 package for Root:Debian:12. Multiple fixed versions available...

Security update for the Linux Kernel (Live Patch 26 for SUSE Linux Enterprise 15 SP5)

This update for the SUSE Linux Enterprise kernel 5.14.21-150500.55.103 fixes various security issues The following security issues were fixed: CVE-2024-53141: netfilter: ipset: add missing range check in bitmapipuadt bsc1245778. CVE-2025-23145: mptcp: fix NULL pointer in canacceptnewsubflow...

CVE-2025-65966

OneUptime is a solution for monitoring and managing online services. In version 9.0.5598, a low-permission user can create new accounts through a direct API request instead of being restricted to the intended interface. This issue has been patched in version 9.1.0...

VulnCheck KEV: CVE-2025-52472

XWiki Platform is a generic wiki platform offering runtime services for applications built on top of it. Starting in version 4.3-milestone-1 and prior to versions 16.10.9, 17.4.2, and 17.5.0, the REST search URL is vulnerable to HQL injection via the orderField parameter. The specified value is...