CVE-2025-22605

CVE-2025-22605 affects Coolify prior to 4.0.0-beta.253, where an authenticated user can execute arbitrary commands in the local Coolify container due to a vulnerability in remote command execution. This could lead to data and private keys/tokens exposure, and the ability to modify running softwar...

GHSA-27C6-MCXV-X3FH Unlimited consumption of resources in @fastify/multipart

Impact The saveRequestFiles function does not delete the uploaded temporary files when user cancels the request. Patches Fixed in version 8.3.1 and 9.0.3 Workarounds Do not use saveRequestFiles. References This was identified in https://github.com/fastify/fastify-multipart/issues/546 and fixed in...

CVE-2025-24034 Himmelblau leaks credentials in the debug log

Himmelblau is an interoperability suite for Microsoft Azure Entra ID and Intune. Starting in version 0.7.0 and prior to versions 0.7.15 and 0.8.3, Himmelblau is vulnerable to leaking credentials in debug logs. When debug logging is enabled, user access tokens are inadvertently logged, potentially...

GHSA-GMJ9-H825-CHQ2 try/except* clauses could allow bypass RestrictedPython via type confusion bug in the CPython interpreter

Impact Via a type confusion bug in the CPython interpreter when using try/except RestrictedPython could be bypassed. We believe this should be fixed upstream in Python itself until that we remove support for try/except from RestrictedPython. It has been fixed for some Python versions. Patches...

GHSA-HMG4-WWM5-P999 Umbraco Allows User Enumeration Feasible Based On Management API Timing and Response Codes

Impact Based on an analysis of response codes and timing of Umbraco 14+ management API responses, it's possible to determine whether an account exists. Patches Patched in 14.3.2 and 15.1.2. Workarounds None available...

GHSA-X684-96HH-833X Craft CMS has a potential RCE with a compromised security key

Impact This is an RCE vulnerability that affects Craft 4 and 5 installs where your security key has already been compromised. https://craftcms.com/knowledge-base/securing-craftkeep-your-secrets-secret Anyone running an unpatched version of Craft with a compromised security key is affected. Patche...

CVE-2024-51738 Sunshine improperly enforces pairing protocol request order

Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairi...

matrix-media-repo (MMR) allows a denial of service through memory exhaustion

Impact MMR makes requests to other servers as part of normal operation, and these resource owners can return large amounts of JSON back to MMR for parsing. In parsing, MMR can consume large amounts of memory and exhaust available memory. Patches This is fixed in MMR v1.3.8. Workarounds Forward...

PT-2025-4760 · Linksys · Linksys E5600 Router

Name of the Vulnerable Software and Affected Versions: Linksys E5600 Router version 1.1.0.26 Description: A stored cross-site scripting XSS vulnerability in the spf table content component allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the desc...

CVE-2024-53682 regulator: axp20x: AXP717: set ramp_delay

In the Linux kernel, the following vulnerability has been resolved: regulator: axp20x: AXP717: set rampdelay AXP717 datasheet says that regulator ramp delay is 15.625 us/step, which is 10mV in our case. Add a AXPDESCRANGESDELAY macro and update AXPDESCRANGES macro to expand to AXPDESCRANGESDELAY...

GHSA-J4JW-M6XR-FV6C Soft Serve vulnerable to path traversal attacks

Impact Path traversal attack gives access to existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an admin user without explicitly giving them permissions. Patches This is patched in v0.8...

BIT-VALKEY-2024-51741 Redis allows denial-of-service due to malformed ACL selectors

Redis is an open source, in-memory database that persists on disk. An authenticated with sufficient privileges may create a malformed ACL selector which, when accessed, triggers a server panic and subsequent denial of service. The problem is fixed in Redis 7.2.7 and 7.4.2...

matrix-sdk-crypto missing facility to signal rotation of a verified cryptographic identity

Impact Versions of the matrix-sdk-crypto Rust crate before 0.8.0 lack a dedicated mechanism to notify that a user's cryptographic identity has changed from a verified to an unverified one, which could cause client applications relying on the SDK to overlook such changes. Patches matrix-sdk-crypto...

CVE-2024-7696

Seth Fogie, member of AXIS Camera Station Pro Bug Bounty Program, has found that it is possible for an authenticated malicious client to tamper with audit log creation in AXIS Camera Station, or perform a Denial-of-Service attack on the AXIS Camera Station server using maliciously crafted audit l...

CVE-2024-13129

A vulnerability was found in Roxy-WI up to 8.1.3. It has been declared as critical. Affected by this vulnerability is the function actionservice of the file app/modules/roxywi/roxy.py. The manipulation of the argument action/service leads to os command injection. The attack can be launched...

CVE-2024-56365

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 are vulnerable to unauthorized reflected cross-site scripting in the constructor of the Downloader class. Using the /vendor/phpoffice/phpspreadsheet/samples/download.php...

CVE-2024-56409

CVE-2024-56409 concerns PhpSpreadsheet, a PHP library for spreadsheet handling. The vulnerability affects the vulnerable component in the Currency.php sample, where the currency parameter is not sanitized, allowing an unauthorized reflected cross-site scripting (XSS) attack when an attacker submi...

CVE-2024-56408 PhpSpreadsheet allows unauthorized reflected XSS in `Convert-Online.php` file

PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Versions prior to 3.7.0, 2.3.5, 2.1.6, and 1.29.7 have no sanitization in the /vendor/phpoffice/phpspreadsheet/samples/Engineering/Convert-Online.php file, which leads to the possibility of a cross-site scripting attack...

PT-2025-16200

Name of the Vulnerable Software and Affected Versions: Open Asset Import Library Assimp versions up to 5.4.3 Description: A critical issue has been found in the Open Asset Import Library Assimp, affecting the function aiString::Set in the library include/assimp/types.h of the component File...

DLA-4006-1 python-django - security update

Bulletin has no description...