GHSA-Q62R-8PPJ-XVF4 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Impact Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. Patches The issue affects Umbraco 14+ and is patched in 14.3.4 and 15.3.1. Workarounds Umbraco supports the...

CVE-2025-32017 Umbraco has a Management API Vulnerability to Path Traversal With Authenticated Users

Umbraco is a free and open source .NET content management system. Authenticated users to the Umbraco backoffice are able to craft management API request that exploit a path traversal vulnerability to upload files into a incorrect location. The issue affects Umbraco 14+ and is patched in 14.3.4 an...

WordPress Hive Support plugin <= 1.2.10 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by hunter85 in WordPress Plugin Hive Support versions = 1.2.10...

RHSA-2025:3647 Red Hat Security Advisory: tomcat security update

Bulletin has no description...

GraphQL grant on a property might be cached with different objects

Original message: I found an issue with security grants on on properties in the GraphQL ItemNormalizer: If you use something like ApiPropertysecurity: 'isgranted"PROPERTYREAD", object, property' on a member of an entity, the grant gets cached and is only evaluated once, even if the object in...

GHSA-MQQG-XJHJ-WFGW Stored XSS in Miniflux when opening a broken image due to unescaped ServerError in proxy handler

Impact Since v2.0.25, Miniflux will automatically proxy images served over HTTP to prevent mixed content errors. When an outbound request made by the Go HTTP client fails, the html.ServerError is returned unescaped without the expected Content Security Policy header added to valid responses. By...

About Remote Code Execution – Apache Tomcat (CVE-2025-24813) vulnerability

About Remote Code Execution - Apache Tomcat CVE-2025-24813 vulnerability. Apache Tomcat is an open-source software that provides a platform for Java web applications. The vulnerability allows a remote attacker to upload and execute arbitrary files on the server due to flaws in the handling of...

DLA-4109-1 firefox-esr - security update

Bulletin has no description...

CVE-2025-21897 sched_ext: Fix pick_task_scx() picking non-queued tasks when it's called without balance()

In the Linux kernel, the following vulnerability has been resolved: schedext: Fix picktaskscx picking non-queued tasks when it's called without balance a6250aa251ea "schedext: Handle cases where picktaskscx is called without preceding balancescx" added a workaround to handle the cases where...

CVE-2024-7776 affecting package pytorch for versions less than 2.2.2-5

CVE-2024-7776 affecting package pytorch for versions less than 2.2.2-5. A patched version of the package is available...

CVE-2025-31131 Path Traversal allowing arbitrary read of files in Yeswiki

YesWiki is a wiki system written in PHP. The squelette parameter is vulnerable to path traversal attacks, enabling read access to arbitrary files on the server. This vulnerability is fixed in 4.5.2...

GHSA-8P83-CPFG-FJ3G Rancher: Restricted Administrator can change Administrator's passwords

Impact A vulnerability has been identified within Rancher where a Restricted Administrator can change the password of Administrators and take over their accounts. A Restricted Administrator should be not allowed to change the password of more privileged users unless it contains the Manage Users...

PT-2025-14217 · Eventbee · Eventbee Rsvp Widget

Name of the Vulnerable Software and Affected Versions: Eventbee RSVP Widget versions n/a through 1.0 Description: The issue is related to Improper Neutralization of Input During Web Page Generation, also known as 'Cross-site Scripting', which allows DOM-Based XSS in the Eventbee RSVP Widget...

CVE-2025-30369 Zulip allows the deletion of Custom profile fields by administrators of a different organization

Zulip is an open-source team collaboration tool. The API for deleting an organization custom profile field is supposed to be restricted to organization administrators, but its handler failed to check that the field belongs to the same organization as the user. Therefore, an administrator of any...

PT-2025-14008 · Unknown · Project Worlds Online Time Table Generator

Name of the Vulnerable Software and Affected Versions: Project Worlds Online Time Table Generator version 1.0 Description: A critical issue was found in the file /admin/add student.php, where the manipulation of the pic argument leads to unrestricted upload. This issue can be exploited remotely...

CVE-2025-2885

Missing validation of the root metatdata version number could allow an actor to supply an arbitrary version number to the client instead of the intended version in the root metadata file, altering the version fetched by the client. Users should upgrade to tough version 0.20.0 or later and ensure...

GHSA-5VMP-M5V2-HX47 tough root metadata version is not checked for sequential versioning

Summary When updating the root role, a TUF client must establish a trusted line of continuity to the latest set of keys. While sequentially downloading new versions of the root metadata file, tough will not check that the root object version it received was the next sequential version from the...

GHSA-J95M-RCJP-Q69H github.com/jaredallard/archives Has Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

Impact A malicious user could feed a specially crafted archive to this library causing RCE, modification of files or other bad things in the context of whatever user is running this library as, through the program that imports it. The severity highly depends on the user's permissions and...

CVE-2024-11504

CVE-2024-11504 affects Streamsoft Prestiż. Description shows an SQL injection due to improper sanitization of input from multiple fields, exploitable by an authenticated remote attacker. The vulnerability is rated high ( CVSS 4.0: base score 8.6; Network attack vector; low required privileges; no...

BIT-DISCOURSE-2025-24808 Discourse has race condition when adding users to a group DM

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, someone who is about to reach the limit of users in a group DM may send requests to add new users in parallel. The requests might all go through ignoring the limit due...