apache-airflow-core (>=3.1.0 <=3.1.4), apache-airflow-providers-common-compat (>=1.6.0 <=1.7.3rc1) +6 more potentially affected by CVE-2025-66388 via apache-airflow (>=3.1.0 <=3.1.4)

apache-airflow PYPI version =3.1.0, =3.1.0, =1.6.0, =1.5.3, =1.26.0, =2.0.2, =0.4.0, =1.1.0, =1.1.4 Source cves: CVE-2025-66388 Source advisory: OSV:GHSA-FV47-PQH6-WXGQ...

apache-airflow-core (>=3.1.0 <=3.1.3), apache-airflow-providers-common-compat (>=1.6.0 <=1.7.3rc1) +6 more potentially affected by CVE-2025-66388 via apache-airflow (>=3.1.0 <=3.1.3)

apache-airflow PYPI version =3.1.0, =3.1.0, =1.6.0, =1.5.3, =1.26.0, =2.0.2, =0.4.0, =1.1.0, =1.1.3 Source cves: CVE-2025-66388 Source advisory: OSV:PYSEC-2025-86...

Oracle Linux 9 : kernel (ELSA-2025-17377)

The remote Oracle Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2025-17377 advisory. - wifi: ath12k: Decrement TID on RX peer frag setup error handling CKI Backport Bot RHEL-114705 CVE-2025-39761 - security/keys: fix slab-out-of-bounds...

CVE-2025-12348

The Icegram Express - Email Subscribers, Newsletters and Marketing Automation Plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 5.9.10. This is due to the plugin not properly verifying that a user is authorized to perform an action in the...

Incorrect Access Control

open-webui is vulnerable to Incorrect Access Control. The vulnerability is due to missing ownership verification in the /api/tasks/stop/ API, allowing a normal user to stop arbitrary LLM response tasks by directly cancelling tasks without proper authorization checks...

Cross-site Request Forgery

Jenkins Nexus Task Runner Plugin is vulnerable to a Cross-Site Request Forgery CSRF. The vulnerability is due to missing CSRF protection on sensitive plugin endpoints, where crafted requests can trigger actions without user interaction, allowing attackers to force an authenticated Jenkins user to...

Authorization Bypass

Jenkins Nexus Task Runner Plugin is vulnerable to an Authorization Bypass. The vulnerability is due to a missing permission check, allowing attackers with only Overall/Read permission to force the plugin to connect to an attacker-controlled URL using attacker-supplied credentials, potentially...

CVE-2025-14064

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

EUVD-2025-203012

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2025-14064 BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2025-14064

CVE-2025-14064 concerns BuddyTask for WordPress. The vulnerability arises from a missing capability check on multiple AJAX endpoints, affecting all versions up to and including 1.3.0. This allows authenticated attackers with Subscriber-level access or higher to view, create, modify, and delete ta...

CVE-2025-14064 BuddyTask <= 1.3.0 - Missing Authorization to Authenticated (Subscriber+) Cross-Group Task Board Access and Manipulation

The BuddyTask plugin for WordPress is vulnerable to unauthorized access and modification of data due to a missing capability check on multiple AJAX endpoints in all versions up to, and including, 1.3.0. This makes it possible for authenticated attackers, with Subscriber-level access and above, to...

CVE-2025-65854

CVE-2025-65854 : MineAdmin v3.x has insecure permissions in the scheduled tasks feature, allowing attackers to run arbitrary commands and potentially take full account control. The vulnerability stems from misconfigured permissions in the scheduled tasks component, with impact described as arbitr...

WordPress plugin Icegram Express 访问控制错误漏洞

WordPress and WordPress plugin are both products of the WordPress Foundation.WordPress is a set of blogging platforms developed using the PHP language. The platform has the ability to host personal blog sites on PHP and MySQL based servers.WordPress plugin is an application plugin. An access...

CVE-2025-14516

Yalantis uCrop 2.2.11 contains a Server-Side Request Forgery (SSRF) in the URL Handler: downloadFile() in com.yalantis.ucrop.task.BitmapLoadTask.java. Manipulation allows remote-triggered requests, with disclosure publicly available and vendor not responding. Multiple sources (NVD, Red Hat, CVE l...

CVE-2025-14516 Yalantis uCrop URL com.yalantis.ucrop.task.BitmapLoadTask.java downloadFile server-side request forgery

A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The...

EUVD-2025-202689

A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The...

NANOREMOTE Malware Uses Google Drive API for Hidden Control on Windows Systems

Cybersecurity researchers have disclosed details of a new fully-featured Windows backdoor called NANOREMOTE that uses the Google Drive API for command-and-control C2 purposes. According to a report from Elastic Security Labs, the malware shares code similarities with another implant codenamed...

Unity Linux 20.1050e Security Update: kernel (UTSA-2025-991121)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2025-991121 advisory. In the Linux kernel, the following vulnerability has been resolved: crypto: pcrypt - Fix hungtask for PADATARESET We found a hungtask bug in testaeadveccfg as...

PT-2025-50608

A vulnerability was found in Yalantis uCrop 2.2.11. Affected by this issue is the function downloadFile of the file com.yalantis.ucrop.task.BitmapLoadTask.java of the component URL Handler. Performing manipulation results in server-side request forgery. The attack may be initiated remotely. The...