EUVD-2023-0514

Malicious code in bioql PyPI...

CVE-2025-54072

yt-dlp is a feature-rich command-line audio/video downloader. In versions 2025.06.25 and below, when the --exec option is used on Windows with the default placeholder or , insufficient sanitization is applied to the expanded filepath, allowing for remote code execution. This is a bypass of the...

CVE-2025-49140

Pion Interceptor (part of the RTP/RTCP framework) versions 0.1.36–0.1.38 contain a bug in the RTP packet factory that can cause a panic in Pion-based SFUs when handling crafted RTP packets. The issue is mitigated by upgrading to v0.1.39 or later, which adds a validation that padLen > 0 && padLen

CVE-2023-44391

Discourse is an open source platform for community discussion. User summaries are accessible for anonymous users even when hideuserprofilesfrompublic is enabled. This problem has been patched in the 3.1.1 stable and 3.2.0.beta2 version of Discourse. Users are advised to upgrade. There are no know...

CVE-2023-43656

matrix-hookshot is a Matrix bot for connecting to external services like GitHub, GitLab, JIRA, and more. Instances that have enabled transformation functions those that have generic.allowJsTransformationFunctions in their config, may be vulnerable to an attack where it is possible to break out of...

CVE-2022-39394

Wasmtime is a standalone runtime for WebAssembly. Prior to version 2.0.2, there is a bug in Wasmtime's C API implementation where the definition of the wasmtimetrapcode does not match its declared signature in the wasmtime/trap.h header file. This discrepancy causes the function implementation to...

CVE-2024-53851

CVE-2024-53851 affects Discourse: an issue in the endpoint that generates inline oneboxes for URLs did not enforce limits on accepted URLs, enabling authenticated users to trigger denial of service in parts of the app. The vulnerability is mitigated by upgrading to the latest stable, beta, or tes...

CVE-2024-56328 HTMLi(XSS without CSP) via Onebox urls in Discourse

Discourse is an open source platform for community discussion. An attacker can execute arbitrary JavaScript on users' browsers by posting a maliciously crafted onebox url. This issue only affects sites with CSP disabled. This problem has been patched in the latest version of Discourse. Users are...

CVE-2024-23331 Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem

Vite is a frontend tooling framework for javascript. The Vite dev server option server.fs.deny can be bypassed on case-insensitive file systems using case-augmented versions of filenames. Notably this affects servers hosted on Windows. This bypass is similar to CVE-2023-34092 -- with surface area...

PHP 5.6.29 releases, security vulnerability fixes-bug warning-the black bar safety net

The PHP development team announced PHP 5.6.29 available. This is a safe version that fixes several security vulnerabilities. Suggested that all PHP 5.6 users upgrade to this version. Update content: Mysqlnd: Fixed bug 64526 the missing mysqlnd. Add parameters to the php. ini-. Opcache: Fixed bug...

RHEL 2.1 : XFree86 (RHSA-2003:289)

Updated XFree86 packages provide security fixes to font libraries and XDM. XFree86 is an implementation of the X Window System providing the core graphical user interface and video drivers. XDM is the X display manager. Multiple integer overflows in the transfer and enumeration of font libraries ...

RHEL 3 : mutt (RHSA-2004:050)

New mutt packages that fix a remotely-triggerable crash in the menu drawing code are now available. Mutt is a text-mode mail user agent. A bug was found in the index menu code in versions of mutt. A remote attacker could send a carefully crafted mail message that can cause mutt to segfault and...

iproute local Denial of Service vulnerability

Background iproute is a set of tools for managing linux network routing and advanced features. Description It has been reported that iproute can accept spoofed messages on the kernel netlink interface from local users. This could lead to a local Denial of Service condition. Impact Local users cou...

PostgreSQL VACUUM command allows unprivileged user to remove database transaction log data

Overview The PostgreSQL VACUUM command contains a vulnerability that allows an unprivileged user to remove database transaction log data. This may result in unrecoverable data loss. Description PostgreSQL is a database management system. The PostgreSQL VACUUM command is used to clean out records...