CVE-2025-37947 ksmbd: prevent out-of-bounds stream writes by validating *pos

In the Linux kernel, the following vulnerability has been resolved: ksmbd: prevent out-of-bounds stream writes by validating pos ksmbdvfsstreamwrite did not validate whether the write offset pos was within the bounds of the existing stream data length vlen. If pos was greater than or equal to vle...

Symfony UX allows unsanitized HTML attribute injection via ComponentAttributes

Impact Rendering attributes or using any method that returns a ComponentAttributes instance e.g. only, defaults, without ouputs attribute values directly without escaping. If these values are unsafe e.g. contain user input, this can lead to HTML attribute injection and XSS vulnerabilities. Patche...

WordPress Advance Post Prefix plugin <= 1.1.1 - Reflected XSS vulnerability

Reflected XSS vulnerability discovered by Hassan Khan Yusufzai - Splint3r7 in WordPress Plugin Advance Post Prefix versions = 1.1.1...

Test remote endpoint is not rate limited

None...

CVE-2025-47279 undici Denial of Service attack via bad certificate data

Undici is an HTTP/1.1 client for Node.js. Prior to versions 5.29.0, 6.21.2, and 7.5.0, applications that use undici to implement a webhook-like system are vulnerable. If the attacker set up a server with an invalid certificate, and they can force the application to call the webhook repeatedly, th...

CVE-2025-46836 net-tools Stack-based Buffer Overflow vulnerability

net-tools is a collection of programs that form the base set of the NET-3 networking distribution for the Linux operating system. Inn versions up to and including 2.10, the Linux network utilities like ifconfig from the net-tools package do not properly validate the structure of /proc files when...

CVE-2025-31493

Kirby CVE-2025-31493 affects versions prior to 3.9.8.3, 3.10.1.2, and 4.7.1 where dynamic collection names passed to collection() or $kirby-&gt;collection() can bypass validation, enabling path traversal. The missing check allowed traversal outside the configured collections root (and even Kirby ...

CVE-2025-46729 phpDVDProfiler Cross-site Scripting vulnerability

julmud/phpDVDProfiler is an adoption of the defunct phpDVDProfiler project, which allows users to display on the web their DVD collections maintained with Invelos's DVDProfiler software. Starting in v20230807 and prior to v20250511, cross-site scripting in the search function. v20250511 contains ...

PT-2025-20675 · Unknown · Phpgurukul Apartment Visitors Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Apartment Visitors Management System version 1.0 Description: A critical issue was found in the system, affecting some unknown functionality of the file /admin/bwdates-reports-details.php. The manipulation of the fromdate and todat...

PT-2025-20623 · Unknown · Code-Projects Hospital Management System

Name of the Vulnerable Software and Affected Versions: code-projects Simple Hospital Management System version 1.0 Description: A critical vulnerability was found in the Simple Hospital Management System. The issue affects the Add function of the Add Information component. Manipulation of the...

CVE-2025-46712 Erlang/OTP SSH Has Strict KEX Violations

Erlang/OTP is a set of libraries for the Erlang programming language. In versions prior to OTP-27.3.4 for OTP-27, OTP-26.2.5.12 for OTP-26, and OTP-25.3.2.21 for OTP-25, Erlang/OTP SSH fails to enforce strict KEX handshake hardening measures by allowing optional messages to be exchanged. This...

PT-2025-20390 · Totolink · Totolink Nr1800X

Name of the Vulnerable Software and Affected Versions: TOTOLINK NR1800X version 9.1.0u.6681 B20230703 Description: The issue is an authenticated stack overflow that occurs via the text parameter in the setSmsCfg function. This allows for potential exploitation. Recommendations: For TOTOLINK NR180...

PT-2025-20443 · D Link · D-Link Dir-605L

Name of the Vulnerable Software and Affected Versions: D-Link DIR-605L version 2.13B01 Description: A critical issue has been discovered, affecting the wake on lan function. The manipulation of the mac argument leads to command injection. This issue can be exploited remotely. The vendor was...

RLSA-2025:0923 Important: buildah security update

The buildah package provides a tool for facilitating building OCI container images. Among other things, buildah enables you to: Create a working container, either from scratch or using an image as a starting point; Create an image, either from a working container or using the instructions in a...

WordPress Challan plugin <= 3.7.58 - CSRF to Privilege Escalation vulnerability

CSRF to Privilege Escalation vulnerability discovered by LVT-tholv2k in WordPress Plugin Challan versions = 3.7.58...

PT-2025-20026 · Rt · Rt-Labs P-Net

Name of the Vulnerable Software and Affected Versions: RT-Labs P-Net versions 1.0.1 and earlier Description: The issue is related to an Out-of-bounds Write that allows an attacker to induce a crash in IO devices using the library. This can be achieved by sending a malicious RPC packet...

GHSA-F7JH-M6WP-JM7F HAL Cross Site Scripting (XSS) vulnerability of user input when storing it in a data store

A flaw was found in the JBoss EAP Management Console, where a stored Cross-site scripting vulnerability occurs when an application improperly sanitizes user input before storing it in a data store. When this stored data is later included in web pages without adequate sanitization, malicious scrip...

CVE-2025-46736 Umbraco Makes User Enumeration Feasible Based on Timing of Login Response

Umbraco is a free and open source .NET content management system. Prior to versions 10.8.10 and 13.8.1, based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. The issue is patched in versions 10.8.10 and 13.8.1. No known workarounds a...

Umbraco Makes User Enumeration Feasible Based on Timing of Login Response

Impact Based on an analysis of the timing of post login API responses, it's possible to determine whether an account exists. Patches Patched in 10.8.10 and 13.8.1. Workarounds None available...

PT-2025-19936 · D Link · D-Link Dir-600

Name of the Vulnerable Software and Affected Versions: D-Link DIR-600L versions 2.07B01 and earlier Description: A critical issue has been identified, affecting the function formSetWAN Wizard534. The manipulation of the argument host leads to a buffer overflow, allowing for remote attack executio...