CVE-2025-66224

OrangeHRM is a comprehensive human resource management HRM system. From version 5.0 to 5.7, the application contains an input-neutralization flaw in its mail configuration and delivery workflow that allows user-controlled values to flow directly into the system’s sendmail command. Because these...

CVE-2025-41738 CODESYS Control - Invalid type usage in visualization

An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service DoS condition...

Linux Distros Unpatched Vulnerability : CVE-2025-12893

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Clients may successfully perform a TLS handshake with a MongoDB server despite presenting a client certificate not aligning with the documented Extended Key Usa...

CVE-2025-66219

CVE-2025-66219 affects the willitmerge CLI, specifically versions 0.2.1 and earlier. The root cause is the use of an insecure child-process execution API (exec) that concatenates user-provided input (from command-line flags or repository-controlled data) into shell commands, enabling command inje...

CVE-2025-13757

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

CVE-2025-59454

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that...

CVE-2025-55174

A flaw was found in Skanpage. This vulnerability allows an attacker to partially overwrite files, resulting in a file containing new content followed by partial old content, due to incorrect use of QIODevice::ReadWrite instead of QODevice::WriteOnly...

SUSE-SU-2025:21161-1 Security update for openssh

This update for openssh fixes the following issues: - CVE-2025-61984: code execution via control characters in usernames when a ProxyCommand is used bsc1251198. - CVE-2025-61985: code execution via '\0' character in ssh:// URI when a ProxyCommand is used bsc1251199...

CVE-2025-66382

In libexpat through 2.7.3, a crafted file with an approximate size of 2 MiB can lead to dozens of seconds of processing time...

Cross-site Scripting (XSS)

librenms/librenms is vulnerable to reflected cross-site scripting XSS. The vulnerability is due to improper filtering in the reportthis function in librenms/includes/functions.php, specifically incorrect use of htmlentities in an href context, which allows an attacker to inject malicious script v...

EUVD-2025-199829

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

CVE-2025-3261

CVE-2025-3261 entry is rejected/not used as stated; it does not represent an active vulnerability.

CVE-2025-13757

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

CVE-2025-13757

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. The package was flagged as malicious during the Sha1-hulud supply chain attack. Although the Sha1-hulud IoCs are not present within the package, the contents of the affected version were removed from the officia...

CVE-2025-13757

CVE-2025-13757 affects Devolutions Server. The issue is an SQL injection in the last usage logs, exploitable across affected builds through 2025.2.20 and 2025.3.8. CVSS v3.1 base score 8.8 (NETWORK, LOW complexity, LOW privileges, no user interaction). Impact is high on confidentiality, integrity...

CVE-2025-13757

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

CVE-2025-13757

SQL Injection vulnerability in last usage logs in Devolutions Server.This issue affects Devolutions Server: through 2025.2.20, through 2025.3.8...

CVE-2025-59454

In Apache CloudStack, a gap in access control checks affected the APIs - createNetworkACL - listNetworkACLs - listResourceDetails - listVirtualMachinesUsageHistory - listVolumesUsageHistory While these APIs were accessible only to authorized users, insufficient permission validation meant that...

CVE-2025-13742

Emails sent by pretix can utilize placeholders that will be filled with customer data. For example, when name is used in an email template, it will be replaced with the buyer's name for the final email. If the name of the attendee contained HTML or Markdown formatting, this was rendered as HTML i...