EUVD-2025-203917

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

CVE-2025-62521 ChurchCRM has unauthenticated RCE in its Install Wizard

ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution vulnerability in ChurchCRM's setup wizard allows unauthenticated attackers to inject arbitrary PHP code during the initial installation process, leading to complete server...

SUSE CVE-2025-68185

In the Linux kernel, the following vulnerability has been resolved: nfs4setupreaddir: insufficient locking for -dparent-dinode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy...

Gladinet Triofox < 16.7.10368.56560 Improper Access Control

Gladinet Triofox version prior to 16.7.10368.56560 are vulnerable to an Improper Access Control flaw that allows access to initial setup pages even after setup is complete. No source data...

PT-2025-51867

Name of the Vulnerable Software and Affected Versions ChurchCRM versions prior to 5.21.0 Description ChurchCRM is an open-source church management system. Prior to version 5.21.0, a pre-authentication remote code execution issue exists in the setup wizard. Unauthenticated attackers can inject...

EUVD-2025-203782

In the Linux kernel, the following vulnerability has been resolved: Bluetooth: btusb: mediatek: Avoid btusbmtkclaimisointf NULL deref In btusbmtksetup, we set btmtkdata-isopktintf to: usbifnumtoifdata-udev, MTKISOIFNUM That function can return NULL in some cases. Even when it returns NULL, though...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

CVE-2025-68296

In the Linux kernel, the following vulnerability has been resolved: drm, fbcon, vgaswitcheroo: Avoid race condition in fbcon setup Protect vgaswitcherooclientfbset with console lock. Avoids OOB access in fbconremapall. Without holding the console lock the call races with switching outputs. VGA...

EUVD-2025-203672

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a regression triggered by scsihostbusy Commit 995412e23bb2 "blk-mq: Replace tags-lock with SRCU for tag iterators" introduced the following regression: Call trace: srcureadlock+0x30/0x80 P...

CVE-2025-68165

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup...

CVE-2025-68165

CVE-2025-68165 is reported for JetBrains TeamCity: reflected XSS on the VCS Root setup in versions prior to 2025.11.0. The connected Nessus entry confirms the vulnerability exists in TeamCity

CVE-2025-68296

CVE-2025-68296 : Linux kernel DRM/fbcon/vga_switcheroo race condition in fbcon setup. The vulnerability occurred because fbcon_remap_all() could race with VGA switcheroo outputs when vga_switcheroo_client_fb_set() ran without the console lock, risking OOB access due to fb_info.node being used bef...

CVE-2025-68224

Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority...

UBUNTU-CVE-2025-68185

In the Linux kernel, the following vulnerability has been resolved: nfs4setupreaddir: insufficient locking for -dparent-dinode dereferencing Theoretically it's an oopsable race, but I don't believe one can manage to hit it on real hardware; might become doable on a KVM, but it still won't be easy...

CVE-2025-68224

...

CVE-2025-68224 scsi: core: Fix a regression triggered by scsi_host_busy()

In the Linux kernel, the following vulnerability has been resolved: scsi: core: Fix a regression triggered by scsihostbusy Commit 995412e23bb2 "blk-mq: Replace tags-lock with SRCU for tag iterators" introduced the following regression: Call trace: srcureadlock+0x30/0x80 P...

CVE-2025-65427

The CVE-2025-65427 affects the Dbit N300 T1 Pro Easy Setup Wireless Wi‑Fi Router (firmware V1.0.0). The root cause is lack of rate limiting on the /api/login endpoint, enabling brute-force password enumeration. Documented impact: password guessing attempts are possible with network access; remedi...

EUVD-2025-202608

Command injection vulnerabilities in Aqara Camera Hub G3 4.1.90027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset...

CVE-2025-65293

Command injection vulnerabilities in Aqara Camera Hub G3 4.1.90027 allow attackers to execute arbitrary commands with root privileges through malicious QR codes during device setup and factory reset...