CVE-2022-35938

TensorFlow is an open source platform for machine learning. The GatherNd function takes arguments that determine the sizes of inputs and outputs. If the inputs given are greater than or equal to the sizes of the outputs, an out-of-bounds memory read or a crash is triggered. This issue has been...

CVE-2026-21680

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium ICC color management profiles. Versions prior to 2.3.1.2 have a NULL pointer dereference vulnerability. This vulnerability affects users of the iccDEV libra...

CVE-2026-21503 iccDEV has Undefined Behavior - Null Pointer Passed to memcpy() in CIccTagSparseMatrixArray

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, iccDEV has undefined behavior due to a null pointer passed to memcpy in CIccTagSparseMatrixArray. This issue has been patched in...

CVE-2026-21504

CVE-2026-21504 affects iccDEV before 2.3.1.2, where the ToneMap parser contains a heap buffer overflow vulnerability. Multiple sources (NVD, Red Hat, CVE lists, OSV) confirm the issue and indicate it has been patched in 2.3.1.2. Affected software: iccDEV libraries/tools for ICC color management p...

CVE-2019-16766

When using wagtail-2fa before 1.3.0, if someone gains access to someone's Wagtail login credentials, they can log into the CMS and bypass the 2FA check by changing the URL. They can then add a new device and gain full access to the CMS. This problem has been patched in version 1.3.0...

EUVD-2026-1144

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of International Color Consortium ICC color management profiles. A vulnerability present in versions prior to 2.3.1.2 affects users of the iccDEV library who process ICC color profiles. It...

Craft CMS vulnerable to potential information disclosure via unchecked asset relocation

Authenticated users on a Craft installation could potentially expose sensitive assets via their user profile photo via maliciously crafted requests. Users should update to the patched versions 5.8.21 and 4.16.17 to mitigate the issue. Resources:...

EUVD-2025-206138

Signal K Server Vulnerable to Unauthenticated Information Disclosure via Exposed Endpoints...

PT-2026-29136

Name of the Vulnerable Software and Affected Versions FreeRDP versions prior to 3.24.2 Description FreeRDP is a free implementation of the Remote Desktop Protocol. The progressive decompress tile upgrade function detects a mismatch through progressive rfx quant cmp equal but only emits a warning,...

PT-2026-28748

Name of the Vulnerable Software and Affected Versions mxml versions up to 4.0.4 Description A flaw exists in mxml up to version 4.0.4 related to a stack-based buffer overflow. The issue resides within the index sort function in the mxml-index.c file, specifically within the mxmlIndexNew component...

EUVD-2025-205597

hemmelig allows SSRF Filter bypass via Secret Request functionality...

CVE-2025-69211 Nest has a Fastify URL Encoding Middleware Bypass (TOCTOU)

Nest is a framework for building scalable Node.js server-side applications. Versions prior to 11.1.11 have a Fastify URL encoding middleware bypass. A NestJS application is vulnerable if it uses @nestjs/platform-fastify; relies on NestMiddleware via MiddlewareConsumer for security checks...

DEBIAN-CVE-2025-68615

net-snmp is a SNMP application library, tools and daemon. Prior to versions 5.9.5 and 5.10.pre2, a specially crafted packet to an net-snmp snmptrapd daemon can cause a buffer overflow and the daemon to crash. This issue has been patched in versions 5.9.5 and 5.10.pre2...

CVE-2025-15013

A vulnerability was identified in floooh sokol up to 5d11344150973f15e16d3ec4ee7550a73fb995e0. The impacted element is the function sgvalidatepipelinedesc in the library sokolgfx.h. Such manipulation leads to stack-based buffer overflow. The attack must be carried out locally. The exploit is...

WordPress RegistrationMagic plugin <= 6.0.6.7 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'RM_Forms' Shortcode vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'RMForms' Shortcode vulnerability discovered by Muhammad Yudha - DJ in WordPress Plugin RegistrationMagic versions = 6.0.6.7...

📄 XWiki Platform 15.10.10 Remote Command Execution

XWiki Platform version 15.10.10 suffers from a critical unauthenticated remote command execution vulnerability through the SolrSearch endpoint. The issue is patched in versions 15.10.11, 16.4.1, and 16.5.0RC1...

PYSEC-2025-139

MLX is an array framework for machine learning on Apple silicon. Prior to version 0.29.4, there is a segmentation fault in mlx::core::loadgguf when loading malicious GGUF files. Untrusted pointer from external gguflib library is dereferenced without validation, causing application crash. This iss...

PT-2025-47649

Name of the Vulnerable Software and Affected Versions vLLM versions 0.5.5 through 0.11.0 Description vLLM is an inference and serving engine for large language models LLMs. Users can cause the vLLM engine to crash when serving multimodal models by providing multimodal embedding inputs with a...

CVE-2025-62519 phpMyFAQ has Authenticated SQL Injection in Configuration Update Functionality

phpMyFAQ is an open source FAQ web application. Prior to version 4.0.14, an authenticated SQL injection vulnerability in the main configuration update functionality of phpMyFAQ allows a privileged user with 'Configuration Edit' permissions to execute arbitrary SQL commands. Successful exploitatio...

EUVD-2025-50833

SpiceDB WriteRelationships fails silently if payload is too big...