CVE-2025-48875 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.181, the system's incorrect validation of lastname and firstname during profile data updates allows for the injection of arbitrary JavaScript code, which will be executed in a flesh-message when the data is deleted...

CVE-2025-48489 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting XSS attacks due to insufficient data validation and sanitization during data reception. This issue has been patched in version 1.8.180...

CVE-2025-48487 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, when creating a translation of a phrase that appears in a flash-message after a completed action, it is possible to inject a payload to exploit XSS vulnerability. This issue has been patched in version 1.8.180...

CVE-2025-48485 FreeScout Vulnerable to Stored XSS

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, the application is vulnerable to Cross-Site Scripting XSS attacks due to incorrect input validation and sanitization of user-input data when an authenticated user updates the profile of an arbitrary customer...

CVE-2025-48492 GetSimple CMS RCE in Edit component

GetSimple CMS is a content management system. In versions starting from 3.3.16 to 3.3.21, an authenticated user with access to the Edit component can inject arbitrary PHP into a component file and execute it via a crafted query string, resulting in Remote Code Execution RCE. This issue is set to ...

ConnectWise Hit by Cyberattack; Nation-State Actor Suspected in Targeted Breach

ConnectWise, the developer of remote access and support software ScreenConnect, has disclosed that it was the victim of a cyber attack that it said was likely perpetrated by a nation-state threat actor. "ConnectWise recently learned of suspicious activity within our environment that we believe wa...

CVE-2025-48482

FreeScout is a free self-hosted help desk and shared mailbox. Prior to version 1.8.180, there is a mass assignment vulnerability. The Customer object is updated using the fill method, which processes fields such as channel and channelid. However, the fill method is called with all client-provided...

CVE-2025-47952

Traefik (HTTP reverse proxy/load balancer) had a path-matching bypass vulnerability prior to 2.11.25 and 3.4.1 when a URL with an encoded path string could bypass the middleware chain and target a backend exposed via another router. Affected versions: <2.11.25 and

Photon OS 4.0: Nodejs PHSA-2025-4.0-0807

An update of the nodejs package has been released. %NASLMINLEVEL 80900 C Tenable, Inc. The descriptive text and package checks in this plugin were extracted from VMware Security Advisory PHSA-2025-4.0-0807. The text itself is copyright C VMware, Inc. include'compat.inc'; if description...

About Cross Site Scripting – MDaemon Email Server (CVE-2024-11182)

About Cross Site Scripting - MDaemon Email Server CVE-2024-11182. An attacker can send an HTML-formatted email containing malicious JavaScript code embedded in an img tag. If the user opens the email in the MDaemon Email Server's web interface, the malicious JavaScript code will execute in the...

CVE-2025-46570 vLLM’s Chunk-Based Prefix Caching Vulnerable to Potential Timing Side-Channel

vLLM is an inference and serving engine for large language models LLMs. Prior to version 0.9.0, when a new prompt is processed, if the PageAttention mechanism finds a matching prefix chunk, the prefill process speeds up, which is reflected in the TTFT Time to First Token. These timing differences...

PT-2025-23672 · Tenda · Tenda Rx3

Name of the Vulnerable Software and Affected Versions: Tenda RX3 version 16.03.13.11 multi TDE01 Description: A critical issue affects the function save staticroute data of the file "/goform/SetStaticRouteCfg". The manipulation of the argument list leads to a stack-based buffer overflow. The atta...

CVE-2025-32415 affecting package libxml2 for versions less than 2.11.5-5

CVE-2025-32415 affecting package libxml2 for versions less than 2.11.5-5. A patched version of the package is available...

CVE-2024-4603 affecting package edk2 for versions less than 20240524git3e722403cd16-8

CVE-2024-4603 affecting package edk2 for versions less than 20240524git3e722403cd16-8. A patched version of the package is available...

GHSA-2HJ5-G64G-FP6P Argo CD allows cross-site scripting on repositories page

Impact This vulnerability allows an attacker to perform arbitrary actions on behalf of the victim via the API, such as creating, modifying, and deleting Kubernetes resources. Due to the improper filtering of URL protocols in the repository page, an attacker can achieve cross-site scripting with...

PT-2025-23074 · Unknown · Llama-Index Cli

Name of the Vulnerable Software and Affected Versions: LLama-Index CLI version v0.12.20 Description: The LLama-Index CLI contains an OS command injection issue due to the improper handling of the --files argument, which is directly passed into os.system. This allows an attacker who controls the...

GHSA-2XV9-GHH9-XC69 radashi Allows Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')

Impact This is a prototype pollution vulnerability. It impacts users of the set function within the Radashi library. If an attacker can control parts of the path argument to the set function, they could potentially modify the prototype of all objects in the JavaScript runtime, leading to unexpect...

PT-2025-23019 · Maccms10 · Maccms10

Name of the Vulnerable Software and Affected Versions: maccms10 version 2025.1000.4047 Description: The issue is related to Server-Side request forgery SSRF in Friend Link Management. This allows an attacker to trick the server into making unintended requests. Recommendations: For version...

PT-2025-22949 · Unknown · Freefloat Ftp Server

Name of the Vulnerable Software and Affected Versions: FreeFloat FTP Server version 1.0.0 Description: A critical vulnerability was found in the GET Command Handler component of FreeFloat FTP Server, leading to a buffer overflow. This issue can be exploited remotely. The manipulation with the GET...

Fedora: Security Advisory (FEDORA-2024-ef9db8b16d)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...