OpenBao lacks user confirmation for OIDC direct callback mode

Impact OpenBao does not prompt for user confirmation when logging in via JWT/OIDC and a role with callbackmode set to direct. This allows an attacker to start an authentication request and perform "remote phishing" by having the victim visit the URL and automatically log-in to the session of the...

CVE-2026-33438 Stirling-PDF vulnerable to DoS via add-watermark

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Versions starting in 2.1.5 and prior to 2.5.2 have Denial of Service DoS vulnerability in the Stirling-PDF watermark functionality /api/v1/security/add-watermark endpoint. The vulnerabilit...

CVE-2025-69768

CVE-2025-69768 describes an SQL injection vulnerability in Chyrp prior to version 2.5.2 affecting the Admin.php component, enabling a remote attacker to potentially obtain sensitive information via that interface. The document notes affected software (Chyrp v2.5.2 and earlier) and the vulnerable ...

CVE-2024-53252

creationtimestamp| type| source ---|---|--- 2026-01-22 11:21:06+00:00| seen| https://bsky.app/profile/cve.skyfleet.blue/post/3mcz2yblmdo2t...

Security Bulletin: IBM Maximo Application Suite uses java 17.0.13,github.com/go-viper/mapstructure/v2 v2.2.1 and github.com/docker/docker v27.3.1 which is vulnerable to GHSA-2464-8j7c-4cjm,CVE-2025-21502 and CVE-2025-54410

Summary IBM Maximo Application Suite uses java 17.0.13,github.com/go-viper/mapstructure/v2 v2.2.1 and github.com/docker/docker v27.3.1 which is vulnerable to GHSA-2464-8j7c-4cjm,CVE-2025-21502 and CVE-2025-54410. This bulletin contains information regarding the vulnerability and its fixture...

CVE-2025-68617

FluidSynth is a software synthesizer based on the SoundFont 2 specifications. From versions 2.5.0 to before 2.5.2, a race condition during unloading of a DLS file can trigger a heap-based use-after-free. A concurrently running thread may be pending to unload a DLS file, leading to use of freed...

EUVD-2025-203002

The Foxtool All-in-One: Contact chat button, Custom login, Media optimize images plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.5.2. This is due to missing or incorrect nonce validation on the foxtoollogingoogle function. This makes it...

CVE-2025-62866

Cross-Site Request Forgery CSRF vulnerability in Valerio Monti Auto Alt Text auto-alt-text allows Cross Site Request Forgery.This issue affects Auto Alt Text: from n/a through = 2.5.2...

Asterisk 安全漏洞

Asterisk is an Asterisk open source software for PBX systems that runs on Linux and supports IP calls using SIP, IAX, and H323 protocols. Asterisk version 20.15.2 and versions prior to 22.5.2 have a security vulnerability that stems from the getauthorizationheader function returning NULL resultin...

redis:6 security update

6.2.18-1.0.1 - Build with 64k pages to support redis on both UEK6 and UEK7 on aarch64 6.2.18-1 - rebase to 6.2.18 for CVE-2025-21605...

CVE-2025-31888 WordPress WP Multi Store Locator Plugin <= 2.5.2 - Cross Site Request Forgery (CSRF) vulnerability

Cross-Site Request Forgery CSRF vulnerability in WPExperts.io WP Multistore Locator wp-multi-store-locator allows Cross Site Request Forgery.This issue affects WP Multistore Locator: from n/a through = 2.5.2...

CVE-2024-53678

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in Apache VCL. Users can modify form data submitted when requesting a new Block Allocation such that a SELECT SQL statement is modified. The data returned by the SELECT statement is not viewable by th...

CVE-2025-24903

libsignal-service-rs is a Rust version of the libsignal-service-java library which implements the core functionality to communicate with Signal servers. Prior to commit 82d70f6720e762898f34ae76b0894b0297d9b2f8, any contact may forge a sync message, impersonating another device of the local user...

NASA AIT-Core 安全漏洞

NASA AIT-Core is a Python-based software suite organized by NASA. A security vulnerability exists in NASA AIT-Core version 2.5.2 that stems from the use of an unencrypted channel to exchange data over a network, which allows an attacker to perform a man-in-the-middle attack...

NASA AIT-Core 安全漏洞

NASA AIT-Core is a Python-based software suite organized by NASA. A security vulnerability exists in NASA AIT-Core version v2.5.2 that originates from allowing an attacker to execute arbitrary commands...

CVE-2023-4238

The Prevent files / folders access WordPress plugin before 2.5.2 does not validate files to be uploaded, which could allow attackers to upload arbitrary files such as PHP on the server...

Cockpit CMS 跨站请求伪造漏洞

Cockpit is an interactive server management interface. A security vulnerability exists in Cockpit CMS version 2.5.2 that stems from the presence of a cross-site request forgery CSRF vulnerability. An attacker can exploit this vulnerability to execute arbitrary administrator commands...

SUSE CVE-2021-41222

TensorFlow is an open source platform for machine learning. In affected versions the implementation of SplitV can trigger a segfault is an attacker supplies negative arguments. This occurs whenever sizesplits contains more than one value and at least one value is negative. The fix will be include...

PYSEC-2021-419

TensorFlow is an open source platform for machine learning. In affected versions the ImmutableConst operation in TensorFlow can be tricked into reading arbitrary memory contents. This is because the tstring TensorFlow string class has a special case for memory mapped strings but the operation...

CVE-2021-41228

TensorFlow is an open source platform for machine learning. In affected versions TensorFlow's savedmodelcli tool is vulnerable to a code injection as it calls eval on user supplied strings. This can be used by attackers to run arbitrary code on the plaform where the CLI tool runs. However, given...