CVE-2025-29788 Sylius PayPal Plugin Payment Amount Manipulation Vulnerability

The Syliud PayPal Plugin is the Sylius Core Team’s plugin for the PayPal Commerce Platform. A vulnerability in versions prior to 1.6.1, 1.7.1, and 2.0.1 allows users to manipulate the final payment amount processed by PayPal. If a user modifies the item quantity in their shopping cart after...

CVE-2025-29782

WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionartipodocsatendido.php endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the tipo...

Qiskit allows arbitrary code execution decoding QPY format versions < 13

Impact A maliciously crafted QPY file can potentially execute arbitrary-code embedded in the payload without privilege escalation when deserializing QPY formats 13. A python process calling Qiskit's qiskit.qpy.load function could potentially execute any arbitrary Python code embedded in the corre...

CVE-2025-29782 WeGIA Cross-Site Scripting (XSS) Stored in endpoint `adicionar_tipo_docs_atendido.php` parameter `tipo`

WeGIA is Web manager for charitable institutions A Stored Cross-Site Scripting XSS vulnerability was identified in the adicionartipodocsatendido.php endpoint in versions of the WeGIA application prior to 3.2.17. This vulnerability allows attackers to inject malicious scripts into the tipo...

CVE-2025-27602

Umbraco is a free and open source .NET content management system. In versions of Umbraco's web backoffice program prior to versions 10.8.9 and 13.7.1, via manipulation of backoffice API URLs, it's possible for authenticated backoffice users to retrieve or delete content or media held within folde...

PT-2025-11211 · Dataease · Dataease

Name of the Vulnerable Software and Affected Versions: DataEase versions prior to 2.10.6 Description: DataEase is an open source business intelligence and data visualization tool. A patch bypass issue allows authenticated users to read and deserialize arbitrary files through the background JDBC...

CVE-2025-27794

Flarum is open-source forum software. A session hijacking vulnerability exists in versions prior to 1.8.10 when an attacker-controlled authoritative subdomain under a parent domain e.g., subdomain.host.com sets cookies scoped to the parent domain .host.com. This allows session token replacement f...

SUSE-SU-2025:0845-1 Security update for iniparser

This update for iniparser fixes the following issues: - CVE-2025-0633: string copy into buffer without previous size validation leads to heap buffer overflow in iniparserdumpsectionini of iniparser bsc1237377...

Below has Incorrect Permission Assignment for Critical Resource

Impact A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as...

Umbraco Allows Improper API Access Control to Low-Privilege Users to Data Type Functionality

Impact An improper API access control issue has been identified, allowing low-privilege, authenticated users to create and update data type information that should be restricted to users with access to the settings section. Patches Will be patched in 14.3.3 and 15.2.3. Workarounds None available...

GHSA-2CMQ-823J-5QJ8 Out-of-bounds Write in SixLabors ImageSharp

Impact An Out-of-bounds Write vulnerability has been found in the ImageSharp gif decoder, allowing attackers to cause a crash using a specially crafted gif. This can potentially lead to denial of service. Patches The problem has been patched. All users are advised to upgrade to v3.1.7 or v2.1.10...

CVE-2024-47260

51l3nc3, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API mediaclip.cgi did not have a sufficient input validation allowing for uploading more audio clips then designed resulting in the Axis device running out of memory. Axis has released patched AXIS OS versions for the...

CVE-2024-47262

Dzmitry Lukyanenka, member of the AXIS OS Bug Bounty Program, has found that the VAPIX API param.cgi was vulnerable to a race condition attack allowing for an attacker to block access to the web interface of the Axis device. Other API endpoints or services not making use of param.cgi are not...

Linux Distros Unpatched Vulnerability : CVE-2024-53156

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - wifi: ath9k: add range check for connrspepid in htcconnectservice I found the following bug in my fuzzer: UBSAN: array-index-out-of-bounds in...

Linux Distros Unpatched Vulnerability : CVE-2024-56700

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - media: wl128x: Fix atomicity violation in fmcsendcmd Atomicity violation occurs when the fmcsendcmd function is executed simultaneously with the modification of...

CVE-2025-20644

In Modem, there is a possible memory corruption due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation...

Linux Distros Unpatched Vulnerability : CVE-2023-26036

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33...

Linux Distros Unpatched Vulnerability : CVE-2021-47572

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - In the Linux kernel, the following vulnerability has been resolved: net: nexthop: fix null pointer dereference when IPv6 is not enabled When we try to add an IP...

CVE-2025-22491 Improper Input Validation in Foreseer Reporting Software (FRS)

The user input was not sanitized on Reporting Hierarchy Management page of Foreseer Reporting Software FRS application which could lead into execution of arbitrary JavaScript in a browser context for all the interacting users. This security issue has been patched in the latest version 1.5.100 of...

Security Bulletin: IBM Maximo Application Suite - Monitor Component is vulnerable to werkzeug-3.0.4-py3-none-any.whl CVE-2024-49766

Summary IBM Maximo Application Suite - Monitor Component is vulnerable to werkzeug-3.0.4-py3-none-any.whl CVE-2024-49766. This bulletin identifies the steps to take to address the vulnerabilities. Vulnerability Details CVEID:CVE-2024-49766 DESCRIPTION: Werkzeug is a Web Server Gateway Interface w...