PT-2025-19963 · Linksys · Linksys E5600

Name of the Vulnerable Software and Affected Versions: Linksys E5600 version 1.1.0.26 Description: A command injection issue was found in the runtime.InternetConnection function. Recommendations: For version 1.1.0.26, consider restricting access to the runtime.InternetConnection function until a...

CVE-2022-49761 btrfs: always report error in run_one_delayed_ref()

In the Linux kernel, the following vulnerability has been resolved: btrfs: always report error in runonedelayedref Currently we have a btrfsdebug for runonedelayedref failure, but if end users hit such problem, there will be no chance that btrfsdebug is enabled. This can lead to very little usefu...

CVE-2025-30217 Frappe has possibility of SQL injection due to improper validations

Frappe is a full-stack web application framework. Prior to versions 14.93.2 and 15.55.0, a SQL Injection vulnerability has been identified in Frappe Framework which could allow a malicious actor to access sensitive information. Versions 14.93.2 and 15.55.0 contain a patch for the issue. No known...

CVE-2025-27404 Icinga Web 2 DOM-based XSS vulnerability

Icinga Web 2 is an open source monitoring web interface, framework and command-line interface. A vulnerability in versions prior to 2.11.5 and 2.12.13 allows an attacker to craft a URL that, once visited by any user, allows to embed arbitrary Javascript into Icinga Web and to act on behalf of tha...

CVE-2025-24972 Discourse may bypass user preference when adding users to chat groups

Discourse is an open-source discussion platform. Prior to versions 3.3.4 on the stable branch and 3.4.0.beta5 on the beta branch, in specific circumstances, users could be added to group direct messages despite disabling direct messaging in their preferences. Versions 3.3.4 and 3.4.0.beta5 contai...

CVE-2025-30216

CryptoLib provides a software-only solution using the CCSDS Space Data Link Security Protocol - Extended Procedures SDLS-EP to secure communications between a spacecraft running the core Flight System cFS and a ground station. In versions 1.3.3 and prior, a Heap Overflow vulnerability occurs in t...

CVE-2025-23204 GraphQl securityAfterResolver not called

API Platform Core is a system to create hypermedia-driven REST and GraphQL APIs. Starting in version 3.3.8, a security check that gets called after GraphQl resolvers is always replaced by another one as there's no break in a clause. As this falls back to security, the impact is there only when...

SUSE-SU-2025:0984-1 Security update for xorg-x11-server

This update for xorg-x11-server fixes the following issues: - CVE-2022-49737: Fixed Xorg crashing when client applications use easystroke for mouse gestures bsc1239750...

OPENSUSE-SU-2025:0094-1 Security update for gitea-tea

This update for gitea-tea fixes the following issues: - gitea-te: update newer dependencies to fix security issues boo1235367 boo1239493 boo1234598...

CVE-2025-27779

CVE-2025-27779 (Applio) : Affects Applio, versions 3.2.8-bugfix and prior. The issue is unsafe deserialization in the model_blender.py file (lines 20–21) triggered when user-supplied input (e.g., a model path) is passed through voice_blender.py’s model_fusion_a/b to run_model_blender_script and e...

CVE-2025-27779 Applio allows unsafe deserialization in model_blender.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelblender.py lines 20 and 21. modelfusiona and modelfusionb from voiceblender.py take user-supplied input e.g. a path to a model and pass that value to the runmodelblenderscript and...

The WikiManager REST API allows any user to create wikis

Impact Any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard by default: it needs to be installed manually through the extension manager...

CVE-2025-27781 Applio allows unsafe deserialization in inference.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in inference.py. modelfile in inference.py as well as modelfile in tts.py take user-supplied input e.g. a path to a model and pass that value to the changechoices and later to getspeakersid...

CVE-2025-27780 Applio allows unsafe deserialization in model_information.py

Applio is a voice conversion tool. Versions 3.2.8-bugfix and prior are vulnerable to unsafe deserialization in modelinformation.py. modelname in modelinformation.py takes user-supplied input e.g. a path to a model and pass that value to the runmodelinformationscript and later to modelinformation...

CVE-2025-29926 The WikiManager REST API allows any user to create wikis

XWiki Platform is a generic wiki platform. Prior to 15.10.15, 16.4.6, and 16.10.0, any user can exploit the WikiManager REST API to create a new wiki, where the user could become an administrator and so performs other attacks on the farm. Note that this REST API is not bundled in XWiki Standard b...

CVE-2025-29924

XWiki Platform contains an authorization bypass in subwikis that can expose private information via the REST API (and potentially other APIs) when rights like “Prevent unregistered users to view pages” or “Prevent unregistered users to edit pages” are enabled. Affected versions: before 15.10.14, ...

CVE-2025-29924 XWiki uses the wrong wiki reference in AuthorizationManager

XWiki Platform is a generic wiki platform. Prior to 15.10.14, 16.4.6, and 16.10.0-rc-1, it's possible for an user to get access to private information through the REST API - but could also be through another API - when a sub wiki is using "Prevent unregistered users to view pages". The...

Sylius PayPal Plugin has an Order Manipulation Vulnerability after PayPal Checkout

A discovered vulnerability allows users to modify their shopping cart after completing the PayPal Checkout process and payment authorization. If a user initiates a PayPal transaction from a product page or the cart page and then returns to the order summary page, they can still manipulate the car...

CVE-2025-24801

GLPI is a free asset and IT management software package. An authenticated user can upload and force the execution of .php files located on the GLPI server. This vulnerability is fixed in 10.0.18...

CVE-2025-24801

GLPI (asset/IT management software) has CVE-2025-24801 where an authenticated user can upload and force execution of PHP files on the GLPI server. Root cause described in the Nessus/NASL entry aligns with improper handling of uploaded files. Fixed in GLPI version 10.0.18. Remediation is to upgrad...