CVE-2024-13858

The BuddyBoss Platform plugin and BuddyBoss Theme for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘inviteename’ parameter in all versions up to, and including, 2.8.50 and 2.8.41, respectively, due to insufficient input sanitization and output escaping. This makes it possible fo...

PT-2025-18922 · Unknown · Handrew Browserpilot

Name of the Vulnerable Software and Affected Versions: handrew browserpilot versions up to 0.2.51 Description: A critical issue was found in the GPTSeleniumAgent function of the file browserpilot/browserpilot/agents/gpt selenium agent.py. The manipulation of the instructions argument leads to cod...

CVE-2025-46569 OPA server Data API HTTP path injection of Rego

Open Policy Agent OPA is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a singl...

CVE-2025-46568 Stirling-PDF Server-Side Request Forgery (SSRF)-Induced Arbitrary File Read Vulnerability

Stirling-PDF is a locally hosted web application that allows you to perform various operations on PDF files. Prior to version 0.45.0, Stirling-PDF is vulnerable to SSRF-induced arbitrary file read. WeasyPrint redefines a set of HTML tags, including img, embed, object, and others. The references t...

CVE-2022-49908

CVE-2022-49908 affects the Linux kernel Bluetooth path, where a memory leak could occur in L2CAP/vhci_write: when an ACL fragment lacks the L2CAP length, the HCI core may copy the skb to conn->rx_skb and finish processing without freeing it. The provided patches fix this by releasing the relat...

CVE-2022-49795 rethook: fix a potential memleak in rethook_alloc()

In the Linux kernel, the following vulnerability has been resolved: rethook: fix a potential memleak in rethookalloc In rethookalloc, the variable rh is not freed or passed out if handler is NULL, which could lead to a memleak, fix it. Masami: Add "rethook:" tag to the title. Acke-by: Masami...

CVE-2025-37775 ksmbd: fix the warning from __kernel_write_iter

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix the warning from kernelwriteiter 2110.972290 ------------ cut here ------------ 2110.972301 WARNING: CPU: 3 PID: 735 at fs/readwrite.c:599 kernelwriteiter+0x21b/0x280 This patch doesn't allow writing to directory...

PT-2025-18361 · Unknown · Phpgurukul Curfew E-Pass Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Curfew e-Pass Management System version 1.0 Description: A critical issue affects the processing of the file "/admin/pass-bwdates-reports-details.php". The manipulation of the fromdate argument leads to SQL injection. The attack ca...

PT-2025-18353 · WordPress · Newsblogger

Name of the Vulnerable Software and Affected Versions: NewsBlogger theme for WordPress versions up to, and including, 0.2.5.1 Description: The NewsBlogger theme for WordPress is vulnerable to arbitrary file uploads due to a missing capability check on the newsblogger install and activate plugin...

PT-2025-18387 · Unknown · Phpgurukul Employee Record Management System

Name of the Vulnerable Software and Affected Versions: PHPGurukul Employee Record Management System version 1.3 Description: A critical vulnerability was found in the PHPGurukul Employee Record Management System. The issue affects an unknown function of the file changepassword.php. The manipulati...

CVE-2025-46331 OpenFGA Authorization Bypass

OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.10 to v1.3.6 Helm chart = openfga-0.2.28, docker = v.1.8.10 are vulnerable to authorization bypass when certain Check and ListObject calls are executed. Th...

CVE-2025-32970

XWiki is a generic wiki platform. In versions starting from 13.5-rc-1 to before 15.10.13, from 16.0.0-rc-1 to before 16.4.4, and from 16.5.0-rc-1 to before 16.8.0, an open redirect vulnerability in the HTML conversion request filter allows attackers to construct URLs on an XWiki instance that...

CVE-2025-32376 Discourse DM limits aren’t always properly enforced

Discourse is an open-source discussion platform. Prior to versions 3.4.3 on the stable branch and 3.5.0.beta3 on the beta branch, the users limit for a DM can be bypassed, thus giving the ability to potentially create a DM with every user from a site in it. This issue has been patched in stable...

subfinder-2.7.0-3.1 on GA media (moderate)

subfinder-2.7.0-3.1 on GA media Announcement ID: openSUSE-SU-2025:15034-1 Rating: moderate Cross-References: CVE-2025-22872 CVSS scores: CVE-2025-22872 SUSE : 6.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:L CVE-2025-22872 SUSE : 6.3 CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L...

CVE-2025-32952

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files...

WordPress Xpro Elementor Addons - Pro plugin <= 1.4.9 - Authenticated (Contributor+) Remote Code Execution vulnerability

WordPress Xpro Elementor Addons - Pro plugin = 1.4.9 - Authenticated Contributor+ Remote Code Execution vulnerability discovered by stealthcopter in WordPress Plugin Xpro Elementor Addons - Pro versions = 1.4.9...

CVE-2025-32956

ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix namespace name, which is the current namespace you are renaming with an injection...

CVE-2025-43864

React Router is a router for React. Starting in version 7.2.0 and prior to version 7.5.2, it is possible to force an application to switch to SPA mode by adding a header to the request. If the application uses SSR and is forced to switch to SPA, this causes an error that completely corrupts the...

PT-2025-17882 · WordPress · Prevent Direct Access – Protect Wordpress Files

Name of the Vulnerable Software and Affected Versions: Prevent Direct Access – Protect WordPress Files plugin versions 2.8.6 through 2.8.8.2 Description: The issue allows unauthorized access and modification of data due to a misconfigured capability check on the pda lite custom permission check...

WordPress EduMall Theme <= 4.2.4 is vulnerable to Local File Inclusion

Software EduMall Type Theme Vulnerable versions = 4.2.4 Fixed in 4.3.0 OWASP Top 10 A1: Injection Classification Local File Inclusion CVE CVE-2025-2101 Patch priority High CVSS severity High 8.1 Developer Claim ownership PSID ce27fee25f49 Credits Tonn Required privilege Unauthenticated Published ...