CVE-2025-64764

CVE-2025-64764 affects the Astro web framework. Prior to 5.15.8, the server islands feature enables a reflected XSS vulnerability that can allow remote attackers to run scripts in victims’ browsers. The issue is tied to how server islands are hydrated and how slots/element names are handled, enab...

SUSE-SU-2025:21009-1 Security update for tiff

This update for tiff fixes the following issues: tiff was updated to 4.7.1: Software configuration changes: Define HAVEJPEGTURBODUALMODE812 and LERCSTATIC in tifconfig.h. CMake: define WORDSBIGENDIAN via tifconfig.h doc/CMakeLists.txt: remove useless cmakeminimumrequired CMake: fix build with...

Fortinet Warns of New FortiWeb CVE-2025-58034 Vulnerability Exploited in the Wild

Fortinet has warned of a new security flaw in FortiWeb that it said has been exploited in the wild. The medium-severity vulnerability, tracked as CVE-2025-58034 , carries a CVSS score of 6.7 out of a maximum of 10.0. "An Improper Neutralization of Special Elements used in an OS Command 'OS Comman...

PT-2025-47509

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4 Description Rallly is a scheduling and collaboration tool. A security issue exists where an authenticated user can modify the display names of other participants in polls without authorization. This is possible b...

PT-2025-47502

Name of the Vulnerable Software and Affected Versions Rallly versions prior to 4.5.4 Description An Insecure Direct Object Reference IDOR issue exists in the poll finalization feature of Rallly. An authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the...

CVE-2025-64325

Emby Server is a personal media server. Prior to version 4.8.1.0 and prior to Beta version 4.9.0.0-beta, a malicious user can send an authentication request with a manipulated X-Emby-Client value, which gets added to the devices section of the admin dashboard without sanitization. This issue has...

EUVD-2025-198098

Open Forms allows users create and publish smart forms. Prior to versions 3.2.7 and 3.3.3, forms where the prefill data fields are dynamically set to readonly/disabled can be modified by malicious users deliberately trying to modify data they're not supposed to. For regular users, the form fields...

Chrome zero-day under active attack: visiting the wrong site could hijack your browser

Google has released an update for its Chrome browser that includes two security fixes. Both are classified as high severity, and one is reportedly exploited in the wild. These flaws were found in Chrome’s V8 engine, which is the part of Chrome and other Chromium-based browsers that runs JavaScrip...

Google Issues Security Fix for Actively Exploited Chrome V8 Zero-Day Vulnerability

Google on Monday released security updates for its Chrome browser to address two security flaws, including one that has come under active exploitation in the wild. The vulnerability in question is CVE-2025-13223 CVSS score: 8.8, a type confusion vulnerability in the V8 JavaScript and WebAssembly...

CVE-2025-64753 grist-core has insufficient access control in endpoints for comparisons between documents and versions

grist-core is a spreadsheet hosting server. Prior to version 1.7.7, a user with only partial read access to a document could still access endpoints listing hashes for versions of that document and receive a full list of changes between versions, even if those changes contained cells, columns, or...

CVE-2025-59840

Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They...

CVE-2025-64718

js-yaml is a JavaScript YAML parser and dumper. In js-yaml before 4.1.1 and 3.14.2, it's possible for an attacker to modify the prototype of the result of a parsed yaml document via prototype pollution proto. All users who parse untrusted yaml documents may be impacted. The problem is patched in...

OAuth2-Proxy is vulnerable to header smuggling via underscore leading to potential privilege escalation

Impact All deployments of OAuth2 Proxy in front of applications that normalize underscores to dashes in HTTP headers e.g., WSGI-based frameworks such as Django, Flask, FastAPI, and PHP applications. Authenticated users can inject underscore variants of X-Forwarded- headers that bypass the proxy’s...

Security update for buildah

This update for buildah fixes the following issues: CVE-2025-52881: Fixed container breakouts by bypassing runc's restrictions for writing to arbitrary /proc files bsc1253096 Other fixes: podman and buildah with runc 1.3.2 fail with lots of warnings as rootless bsc1252543 Patch Instructions: To...

EulerOS 2.0 SP12 : cmake (EulerOS-SA-2025-2318)

According to the versions of the cmake packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : A vulnerability was determined in cmake 4.1.20250725-gb5cce23. This affects the function cmForEachFunctionBlocker::ReplayItems of the file...

PT-2025-46688

Name of the Vulnerable Software and Affected Versions Xxl-api version 1.3.0 Description A stored cross-site scripting XSS issue exists in the Business Line Management module. This allows attackers to execute arbitrary web scripts or HTML by injecting a crafted payload into the Name parameter...

CVE-2025-12943

CVE-2025-12943 involves NETGEAR RAX30 and RAXE300 devices, where improper certificate validation in the firmware update logic lets an attacker who can intercept and modify traffic potentially execute arbitrary commands on the device. Affected products: NETGEAR RAX30 (Nighthawk AX5 5-Stream AX2400...

Photon OS 4.0: Glib PHSA-2025-4.0-0902

An update of the glib package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-4.0-0902. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

From LLMs to Agents: A Comparative Evaluation of LLMs and LLM-Based Agents in Security Patch Detection

The widespread adoption of open-source software OSS has accelerated software innovation but also increased security risks due to the rapid propagation of vulnerabilities and silent patch releases. In recent years, large language models LLMs and LLM-based agents have demonstrated remarkable...

Security update for python-Django (important)

openSUSE security update: security update for python-django ------------------------------------------------------------- Announcement ID: openSUSE-SU-2025-20022-1 Rating: important References: bsc1250485 bsc1250487 Cross-References: CVE-2025-59681 CVE-2025-59682 CVSS scores: CVE-2025-59681 SUSE ...