Craft CMS Vulnerable to Authenticated RCE via Twig SSTI - create() function + Symfony Process gadget

There is an authenticated admin RCE in Craft CMS 5.8.21 via Server-Side Template Injection using the create Twig function combined with a Symfony Process gadget chain. This bypasses the fix implemented for CVE-2025-57811 patched in 5.8.7. Required Permissions - Administrator permissions or access...

CVE-2025-8082 Vuetify XSS via unsanitized 'titleDateFormat' in 'VDatePicker'

Improper neutralization of the title date in the 'VDatePicker' component in Vuetify, allows unsanitized HTML to be inserted into the page. This can lead to a Cross-Site Scripting XSS https://owasp.org/www-community/attacks/xss attack. The vulnerability occurs because the 'title-date-format'...

ILife Photocast XML Title Format String Code Execution - Ver2 (CVE-2007-0051)

A code execution vulnerability has been reported in Apple iPhoto. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on the affected system...