WordPress HTML5 Radio Player - WPBakery Page Builder Addon <= 2.5 - Cross Site Scripting (XSS) Vulnerability

WordPress HTML5 Radio Player - WPBakery Page Builder Addon = 2.5 - Cross Site Scripting XSS Vulnerability discovered by Tran Nguyen Bao Khanh VCI - VNPT Cyber Immunity in WordPress Plugin HTML5 Radio Player - WPBakery Page Builder Addon versions = 2.5...

CVE-2025-53887 Directus's exact version number is exposed by the OpenAPI Spec

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, the exact Directus version number is incorrectly being used as OpenAPI Spec version this means that it is being exposed by the /server/specs/oas endpoint without...

CVE-2025-7546

A vulnerability, which was classified as problematic, has been found in GNU Binutils 2.45. Affected by this issue is the function bfdelfsetgroupcontents of the file bfd/elf.c. The manipulation leads to out-of-bounds write. It is possible to launch the attack on the local host. The exploit has bee...

CVE-2025-52994

gifoutputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709...

Security Bulletin: Security vulnerabilities were found in IBM Verify Identity Access Digital Credentials (CVE-2025-48387, CVE-2025-5889)

Summary Security vulnerabilities were addressed in IBM Verify Identity Access Digital Credentials Vulnerability Details CVEID:CVE-2025-48387 DESCRIPTION: tar-fs provides filesystem bindings for tar-stream. Versions prior to 3.0.9, 2.1.3, and 1.16.5 have an issue where an extract can write outside...

CVE-2025-52994

gifoutputAsJpeg in phpThumb through 1.7.23 allows phpthumb.gif.php OS Command Injection via a crafted parameter value. This is fixed in 1.7.23-202506081709...

CVE-2025-53549 Matrix Rust SDK allows SQL injection in the EventCache implementation

The Matrix Rust SDK is a collection of libraries that make it easier to build Matrix clients in Rust. An SQL injection vulnerability in the EventCache::findeventwithrelations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in Matrix clients that...

GHSA-275G-G844-73JH Matrix Rust SDK vulnerable to SQL Injection through its EventCache implementation

An SQL injection vulnerability in the EventCache::findeventwithrelations method of matrix-sdk 0.11 and 0.12 allows malicious room members to execute arbitrary SQL commands in Matrix clients that directly pass relation types provided by those room members into this method, when used with the defau...

CVE-2025-38325 ksmbd: add free_transport ops in ksmbd connection

In the Linux kernel, the following vulnerability has been resolved: ksmbd: add freetransport ops in ksmbd connection freetransport function for tcp connection can be called from smbdirect. It will cause kernel oops. This patch add freetransport ops in ksmbd connection, and add each freetransports...

BIT-GIT-2025-48386 Git allows a buffer overflow in 'wincred' credential helper

Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations and full access to internals. The wincred credential helper uses a static buffer target as a unique key for storing and comparing against internal storage. This...

GHSA-P22H-3M2V-CMGH Cosmos SDK's Integer Overflow vulnerability in its Validator Rewards pool can cause a chain halt

Description Name: ISA-2025-005: Integer Overflow in Cosmos SDK Component: CosmosSDK Criticality: High Considerable Impact; Likely Likelihood per ACMv1.2 Affected versions: = v0.50.13, = 0.53.2 Affected users: Validators, Full nodes, Users on chains that utilize the distribution module Cosmos SDK...

PT-2025-28358 · Unknown · Code-Projects Crime Reporting System

Name of the Vulnerable Software and Affected Versions: code-projects Crime Reporting System version 1.0 Description: A critical issue affects the processing of the file /userlogin.php. The manipulation of the email argument leads to SQL injection. The attack can be initiated remotely...

PT-2025-28769 · Unknown · Jonnys Liquor

Name of the Vulnerable Software and Affected Versions: Jonnys Liquor version 1.0 Description: A critical issue exists in Jonnys Liquor that allows for remote SQL injection. The vulnerability is located in the /admin/delete-row.php file, where manipulation of the ID argument can lead to...

CVE-2025-7107

A vulnerability classified as critical has been found in SimStudioAI sim up to 0.1.17. Affected is the function handleLocalFile of the file apps/sim/app/api/files/parse/route.ts. The manipulation of the argument filePath leads to path traversal. It is possible to launch the attack remotely. The...

WordPress WoodMart Theme <= 8.2.3 is vulnerable to Local File Inclusion

Software WoodMart Type Theme Vulnerable versions = 8.2.3 Fixed in 8.2.4 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-6746 Patch priority Low CVSS severity Low 7.5 Developer Xtemos PSID fa6d0144ad7f Credits stealthcopter Required privilege Contributor Published 7 Jul...

CVE-2025-53108

HomeBox is a home inventory and organization system. Prior to 0.20.1, HomeBox contains a missing authorization check in the API endpoints responsible for updating and deleting inventory item attachments. This flaw allows authenticated users to perform unauthorized actions on inventory item...

BIT-MODSECURITY-2025-52891 ModSecurity empty XML tag causes segmentation fault

ModSecurity is an open source, cross platform web application firewall WAF engine for Apache, IIS and Nginx. In versions 2.9.8 to before 2.9.11, an empty XML tag can cause a segmentation fault. If SecParseXmlIntoArgs is set to On or OnlyArgs, and the request type is application/xml, and at least...

PT-2025-27886 · Unknown · Aakif Kadiwala Posts Slider Shortcode

Name of the Vulnerable Software and Affected Versions: Aakif Kadiwala Posts Slider Shortcode versions 1.0 and earlier Description: The issue is related to improper neutralization of input during web page generation, which allows for DOM-Based Cross-site Scripting XSS. This means that an attacker...

CVE-2025-34087

An authenticated command injection vulnerability exists in Pi-hole versions up to 3.3. When adding a domain to the allowlist via the web interface, the domain parameter is not properly sanitized, allowing an attacker to append OS commands to the domain string. These commands are executed on the...

CVE-2025-38164 f2fs: zone: fix to avoid inconsistence in between SIT and SSA

In the Linux kernel, the following vulnerability has been resolved: f2fs: zone: fix to avoid inconsistence in between SIT and SSA w/ below testcase, it will cause inconsistence in between SIT and SSA. createnullblk 512 2 1024 1024 mkfs.f2fs -m /dev/nullb0 mount /dev/nullb0 /mnt/f2fs/ touch...