OPENSUSE-SU-2025:15746-1 libvirt-11.9.0-2.1 on GA media

These are all security issues fixed in the libvirt-11.9.0-2.1 package on the GA media of openSUSE Tumbleweed...

EUVD-2025-21407

Malicious code in bioql PyPI...

SUSE CVE-2025-54880

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html...

CVE-2025-54881

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 10.9.0-rc.1 to 11.9.0, user supplied input for sequence diagram labels is passed to innerHTML duri...

CVE-2025-54880

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html...

CVE-2025-54880 Mermaid does not properly sanitize architecture diagram iconText leading to XSS

Mermaid is a JavaScript based diagramming and charting tool that uses Markdown-inspired text definitions and a renderer to create and modify complex diagrams. In the default configuration of mermaid 11.9.0 and earlier, user supplied input for architecture diagram icons is passed to the d3 html...

CVE-2025-54880

CVE-2025-54880 affects mermaid up to version 11.9.0 where user-provided input for architecture diagrams is passed to d3.html(), creating a cross-site scripting sink. The CVE description notes the issue is fixed in 11.10.0. Connected GHSA advisory for Gogs highlights stored XSS via mermaid diagram...

CVE-2025-53889

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53885

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...

CVE-2025-53889

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53885

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows to handle CRUD events for users it is possible to log the incoming data to console using the "Log to Console" operation and a template...

CVE-2025-53889 Directus missing permission checks for manual trigger Flows

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.12.0 and prior to version 11.9.0, Directus Flows with a manual trigger are not validating whether the user triggering the Flow has permissions to the items provided as payload to the Flow...

CVE-2025-53887

Summary: Directus prior to 11.9.0 exposes the exact running version via the OpenAPI spec at /server/specs/oas, enabling targeted lookups for known vulnerabilities in Directus core and dependencies. This information disclosure is fixed in 11.9.0. What’s affected: Directus real-time API and app das...

CVE-2025-53886 Directus doesn't redact tokens in Flow logs

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in...

CVE-2025-53886 Directus doesn't redact tokens in Flow logs

Directus is a real-time API and App dashboard for managing SQL database content. Starting in version 9.0.0 and prior to version 11.9.0, when using Directus Flows with the WebHook trigger all incoming request details are logged including security sensitive data like access and refresh tokens in...

CVE-2025-53886

Directus vulnerability CVE-2025-53886 affects Directus with Flows using the WebHook trigger prior to version 11.9.0. The issue logs all incoming request details, including sensitive data such as access and refresh tokens stored in cookies, enabling a user with log access (malicious admins) to hij...

CVE-2025-53885

Directus Flows logs can disclose sensitive user data via the Log to Console operation. Affected: Directus real-time API/dashboard prior to 11.9.0 (versions 9.0.0–11.8.x). Root cause: logging unfettered input during user create/update events, enabling a malicious admin to view other users’ data. I...

CVE-2020-13639

A stored XSS vulnerability was discovered in the ECT Provider in OutSystems before 2020-09-04, affecting generated applications. It could allow an unauthenticated remote attacker to craft and store malicious Feedback content into /ECTProvider/, such that when the content is viewed it can only be...