CVE-2025-48936

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...

CVE-2025-48473

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.179, when creating a conversation from a message in another conversation, there is no check to ensure that the user has the ability to view this message. Thus, the user can view arbitrary messages from other...

CVE-2025-48936

Zitadel is open-source identity infrastructure software. Prior to versions 2.70.12, 2.71.10, and 3.2.2, a potential vulnerability exists in the password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset...

CVE-2025-48488 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, deleting the file .htaccess allows an attacker to upload an HTML file containing malicious JavaScript code to the server, which can result in a Cross-Site Scripting XSS vulnerability. This issue has been patch...

CVE-2025-48486 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the cross-site scripiting XSS vulnerability is caused by the lack of input validation and sanitization in both \Session::flash and , allowing user input to be executed without proper filtering. This issue has...

CVE-2025-48483 FreeScout Stored XSS leads to CSRF

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting XSS attacks due to incorrect input validation and sanitization of user-input data during mail signature sanitization. An attacker can inject arbitrary HTML...

CVE-2025-48481 FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, an attacker with an unactivated email invitation containing invitehash, can exploit this vulnerability to self-activate their account, despite it being blocked or deleted, by leveraging the invitation link fro...

CVE-2025-48478 FreeScout Has Business Logic Errors

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, insufficient input validation during user creation has resulted in a mass assignment vulnerability, allowing an attacker to manipulate all fields of the object, which are enumerated in the $fillable array the...

CVE-2025-47952 Traefik allows path traversal using url encoding

Traefik pronounced traffic is an HTTP reverse proxy and load balancer. Prior to versions 2.11.25 and 3.4.1, there is a potential vulnerability in Traefik managing the requests using a PathPrefix, Path or PathRegex matcher. When Traefik is configured to route the requests to a backend using a...

CVE-2025-47933

CVE-2025-47933 affects Argo CD (GitOps for Kubernetes). The issue is an XSS via the API caused by improper filtering of URL protocols on the repository page, enabling arbitrary actions on behalf of the victim when a user with edit permissions views a repository. It applies to versions before the ...

CVE-2025-48474 FreeScout Vulnerable to Insufficient Authorization

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application incorrectly checks user access rights for conversations. Users with showonlyassignedconversations enabled can assign themselves to an arbitrary conversation from the mailbox to which they have...

CVE-2025-48390 FreeScout Vulnerable to Remote Code Execution (RCE)

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, FreeScout is vulnerable to code injection due to insufficient validation of user input in the phppath parameter. The backticks characters are not removed, as well as tabulation is not removed. When checking us...

CVE-2025-48388

Freescout, a PHP/Laravel-based open‑source helpdesk, is affected by a CRLF‑injection style vulnerability in versions before 1.8.178. Root cause: insufficient validation of user‑supplied data used as arguments to string formatting functions, allowing input containing \r, \n, or \t. The issue is pa...

CVE-2025-48388 FreeScout Has Insufficient Protection Against CRLF-injection

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.178, the application performs insufficient validation of user-supplied data, which is used as arguments to string formatting functions. As a result, an attacker can pass a string containing special symbols \r, \n,...

vLLM allows clients to crash the openai server with invalid regex

Impact A denial of service bug caused the vLLM server to crash if an invalid regex was provided while using structured output. This vulnerability is similar to GHSA-6qc9-v4r8-22xg, but for regex instead of a JSON schema. Issue with more details: https://github.com/vllm-project/vllm/issues/17313...

Issue with Amazon Redshift Python Connector and the BrowserAzureOAuth2CredentialsProvider plugin

Summary Amazon Redshift Python Connector is a pure Python connector to Redshift i.e., driver that implements the Python Database API Specification 2.0. When the Amazon Redshift Python Connector is configured with the BrowserAzureOAuth2CredentialsProvider plugin, the driver skips the SSL certifica...

CVE-2025-48057 Icinga 2 certificate renewal might incorrectly renew an invalid certificate

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate function can be tricked into incorrectly treating certificates as vali...

CVE-2025-48057 Icinga 2 certificate renewal might incorrectly renew an invalid certificate

Icinga 2 is a monitoring system which checks the availability of network resources, notifies users of outages, and generates performance data for reporting. Prior to versions 2.12.12, 2.13.12, and 2.14.6, the VerifyCertificate function can be tricked into incorrectly treating certificates as vali...

CVE-2025-3704

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in DBAR Productions Volunteer Sign Up Sheets allows Stored XSS.This issue affects Volunteer Sign Up Sheets: from n/a before 5.5.5. The patch is available exclusively on GitHub at...

SUSE CVE-2025-47291

containerd is an open-source container runtime. A bug was found in the containerd's CRI implementation where containerd, starting in version 2.0.1 and prior to version 2.0.5, doesn't put usernamespaced containers under the Kubernetes' cgroup hierarchy, therefore some Kubernetes limits are not...