CVE-2025-8678

The CVE-2025-8678 entry concerns the WordPress WP Crontrol plugin. Affected versions 1.17.0–1.19.1 expose a blind Server-Side Request Forgery via wp_remote_request() that can be exploited by authenticated administrators or higher to issue web requests from the WordPress host to arbitrary external...

ZITADEL 安全漏洞

ZITADEL is a modern open source alternative to Auth0, Firebase Auth, AWS Cognito, and Keycloak built for the container and serverless era from the Swiss ZITADEL open source. A security vulnerability exists in ZITADEL versions 4.0.0 through 4.0.2, 3.0.0 through 3.3.6, and versions prior to 2.71.15...

PT-2025-34465 · Unknown · Audiobookshelf

Name of the Vulnerable Software and Affected Versions: Audiobookshelf versions 2.6.0 through 2.26.3 Description: Audiobookshelf is an open-source self-hosted audiobook server. The application does not properly restrict redirect callback URLs during OIDC authentication. An attacker can craft a log...

PT-2025-34499 · Linksys · Linksys Re9000 +5

Name of the Vulnerable Software and Affected Versions: Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 versions 1.0.013.001 through 1.2.07.001 Description: A stack-based buffer overflow exists in the scheduleAdd function within the /goform/scheduleAdd file. Manipulation of the ruleName...

CVE-2025-55107 BUG-000177335 ArcGIS Enterprise Sites has a stored Cross-site Scripting vulnerability.

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in th...

CVE-2025-55106 BUG-000173171 ArcGIS Enterprise Sites has a Cross-site Scripting vulnerability.

There is a stored Cross-site Scripting vulnerability in Esri Portal for ArcGIS Enterprise Sites versions 10.9.1 – 11.4 that may allow a remote, authenticated attacker to inject malicious a file with an embedded xss script which when loaded could potentially execute arbitrary JavaScript code in th...

CVE-2025-47700

Mattermost Server versions 10.5.x = 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions...

CVE-2025-47700 AI plugin APIs can be triggered using post actions

Mattermost Server versions 10.5.x = 10.5.9 utilizing the Agents plugin fail to reject empty request bodies which allows users to trick users into clicking malicious links via post actions...

CVE-2025-49810 Thread summarization allows persistent access to channel

Mattermost versions 10.5.x = 10.5.8 fail to validate access controls at time of access which allows user to read a thread via AI posts...

vLLM 资源管理错误漏洞

vLLM is a high throughput and memory efficient inference and service engine for LLM from the vLLM open source. A resource management error vulnerability exists in vLLM versions prior to 0.1.0 through 0.10.1.1, which stems from the fact that sending an HTTP GET request with a very large header cou...

PT-2025-34225 · Vllm · Vllm

Name of the Vulnerable Software and Affected Versions: vLLM versions 0.1.0 through 0.10.1.0 Description: vLLM is an inference and serving engine for large language models LLMs. A Denial of Service DoS vulnerability can be triggered by sending a single HTTP GET request with an extremely large head...

hippo4j Includes Hard Coded Secret Key in JWT Creation

hippo4j 1.0.0 to 1.5.0, uses a hard-coded secret key in its JWT JSON Web Token creation. This allows attackers with access to the source code or compiled binary to forge valid access tokens and impersonate any user, including privileged ones such as "admin". The vulnerability poses a critical...

Linux Distros Unpatched Vulnerability : CVE-2019-8321

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An issue was discovered in RubyGems 2.6 and later through 3.0.2. Since Gem::UserInteractionverbose calls say without escaping, escape sequence injection is...

@n8n/task-runner (>=1.37.0 <=1.42.3), n8n-node-dev (>=1.0.0 <=1.104.3) +10 more potentially affected by CVE-2025-57749 via n8n-core (>=1.0.0 <=1.105.3)

n8n-core NPM version =1.0.0, =1.37.0, =1.0.0, =0.1.0, =0.3.3, =0.3.1, =1.1.0, =0.1.4, =0.4.10, =0.2.0, =0.1.0, =0.4.28 Source cves: CVE-2025-57749 Source advisory: SNYK:JS-N8NCORE-12081401...

@6missedcalls-ai/zora-mcp-server (>=0.1.2 <=0.1.3), @aurracloud/agentkit (>=0.9.0 <=0.10.0) +31 more potentially affected by unknown CVE via x402 (>=0.1.2 <=0.4.3)

x402 NPM version =0.1.2, =0.1.2, =0.9.0, =0.1.0-alpha.1, =0.0.1, =0.0.1, =0.0.1, =0.0.0-nightly-20250711210411, =0.3.0, =0.0.3, =0.1.2, =0.1.3 - @openflow-sh/sdk =1.0.0 - @thorium-dev-group/x402-mcp-extension =0.1.0 and more Source cves: unknown CVE Source advisory: OSV:GHSA-3J63-5H8P-GF7C...

CVE-2025-54988 Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to...

CVE-2025-54988 Apache Tika PDF parser module: XXE vulnerability in PDFParser's handling of XFA

Critical XXE in Apache Tika tika-parser-pdf-module in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to...

@regis-samurai/n8n (>=0.216.1 <=0.219.1), n8n-nodes-accelo (>=0.1.0 <=0.1.9) +11 more potentially affected by CVE-2025-57749 via n8n (>=0.138.0 <=0.93.0)

n8n NPM version =0.138.0, =0.216.1, =0.1.0, =0.18.0, =0.1.0, =0.1.0, =0.2.14, =0.1.0, =0.1.0, =0.0.2, =0.0.2, =1.1.3 Source cves: CVE-2025-57749 Source advisory: OSV:GHSA-GGJM-F3G4-RWMM...

CVE-2025-55746 Directus allows unauthenticated file upload and file modification due to lacking input sanitization

Directus is a real-time API and App dashboard for managing SQL database content. From 10.8.0 to before 11.9.3, a vulnerability exists in the file update mechanism which allows an unauthenticated actor to modify existing files with arbitrary contents without changes being applied to the files'...

CVE-2025-36114

IBM QRadar SOAR Plugin App 1.0.0 through 5.6.0 could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing "dot dot" sequences /../ to view arbitrary files on the system...