CVE-2025-43858 YoutubeDLSharp allows command injection on windows system due to non sanitized arguments

YoutubeDLSharp is a wrapper for the command-line video downloaders youtube-dl and yt-dlp. In versions starting from 1.0.0-beta4 and prior to 1.1.2, an unsafe conversion of arguments allows the injection of a malicious commands when starting yt-dlp from a commands prompt running on Windows OS with...

CVE-2025-32968

The CVE-2025-32968 issue affects XWiki Platform (org.xwiki.platform:xwiki-platform-oldcore) where a user with SCRIPT right can escape the HQL context via the script query API and perform blind SQL injection. Affected versions span 1.6-milestone-1 up to but not including 15.10.16, 16.4.6, and 16.1...

CVE-2025-32952 io.jmix.localfs:jmix-localfs affected by DoS in the Local File Storage

Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files...

lanskallan.se Cross Site Scripting vulnerability OBB-4048096

Following the coordinated and responsible vulnerability disclosure guidelines of the ISO 29147 standard, Open Bug Bounty has: a. verified the vulnerability and confirmed its existence; b. notified the website operator about its existence. Technical details of the vulnerability are currently hidde...

CVE-2025-32956

Summary: CVE-2025-32956 affects the ManageWiki MediaWiki extension. The vulnerability is an SQL injection in NamespaceMigrationJob triggered when renaming a namespace in Special:ManageWiki/namespaces using a page prefix. The issue stems from unsanitized input in the namespace rename flow and has ...

CVE-2025-32956 ManageWiki has SQL injection vulnerability in NamespaceMigrationJob

ManageWiki is a MediaWiki extension allowing users to manage wikis. Versions before commit f504ed8, are vulnerable to SQL injection when renaming a namespace in Special:ManageWiki/namespaces when using a page prefix namespace name, which is the current namespace you are renaming with an injection...

PT-2025-17375 · Wcms · Wcms

Name of the Vulnerable Software and Affected Versions: WCMS version 11 Description: A critical vulnerability was found in WCMS 11, affecting an unknown function of the file app/controllers/AnonymousController.php. The manipulation of the email/username argument leads to SQL injection. It is...

CVE-2025-32377 Rasa Pro Missing Authentication For Voice Connector APIs

Rasa Pro is a framework for building scalable, dynamic conversational AI assistants that integrate large language models LLMs. A vulnerability has been identified in Rasa Pro where voice connectors in Rasa Pro do not properly implement authentication even when a token is configured in the...

CVE-2025-32442

Fastify is a fast and low overhead web framework, for Node.js. In versions 5.0.0 to 5.3.0 as well as version 4.29.0, applications that specify different validation strategies for different content types have a possibility to bypass validation by providing a slightly altered content type such as...

CVE-2025-32778

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project Lissy93/web-check. The issue stems from user-controlled input url being passed unsanitized into a shell command using exec, allowing attackers t...

PT-2025-18723 · Unknown · Pcman Ftp Server

Name of the Vulnerable Software and Affected Versions: PCMan FTP Server version 2.0.7 Description: A critical issue was found in the BELL Command Handler component of PCMan FTP Server, leading to a buffer overflow. This can be exploited remotely. The issue has been publicly disclosed and may be...

CVE-2025-32789 EspoCRM Allows Potential Disclosure of Sensitive Information in the User Sorting Function

EspoCRM is an Open Source Customer Relationship Management software. Prior to version 9.0.7, users can be sorted by their password hash. This flaw allows an attacker to make assumptions about the hash values of other users stored in the password column of the user table, based on the results of t...

CVE-2025-22038

In the Linux kernel, the following vulnerability has been resolved: ksmbd: validate zero numsubauth before subauth is accessed Access psid-subauthpsid-numsubauth - 1 without checking if numsubauth is non-zero leads to an out-of-bounds read. This patch adds a validation step to ensure numsubauth !...

CVE-2024-53259 affecting package coredns for versions less than 1.11.4-1

CVE-2024-53259 affecting package coredns for versions less than 1.11.4-1. A patched version of the package is available...

CVE-2024-10089

Internet Starter, one of SoftCOM iKSORIS system modules, is vulnerable to Stored XSS Cross-site Scripting attacks. An attacker might trick a user into filling a form designed for changing user's data with a malicious script, what causes the script to run in user's context. This vulnerability has...

CVE-2025-22073

CVE-2025-22073 concerns the Linux kernel spufs subsystem. The issue is a leak in spufs_new_file() on failure during spufs_fill_dir(), where the caller proceeds to spufs_rmdir() to clean up, but the resulting dentry remains negative and must be explicitly dropped. The vulnerability is resolved in ...

PT-2025-16788 · Wxwidgets +2 · Wxwidgets +2

Name of the Vulnerable Software and Affected Versions: wxWidgets versions prior to 3.2.7 Description: A crash can be triggered in wxWidgets apps when connections are refused in wxWebRequestCURL. Recommendations: For versions prior to 3.2.7, update to version 3.2.7 or later to resolve the issue...

CVE-2025-32778 Web-Check allows command Injection via Unvalidated URL in Screenshot API

Web-Check is an all-in-one OSINT tool for analyzing any website. A command injection vulnerability exists in the screenshot API of the Web Check project Lissy93/web-check. The issue stems from user-controlled input url being passed unsanitized into a shell command using exec, allowing attackers t...

CVE-2025-32779 labsai/eddi Vulnerable to Path Traversal (Zip Slip) in ZIP Import Function

E.D.D.I Enhanced Dialog Driven Interface is a middleware to connect and manage LLM API bots. In versions before 5.5.0, an attacker with access to the /backup/import API endpoint can write arbitrary files to locations outside the intended extraction directory due to a Zip Slip vulnerability...

CVE-2024-47822

Directus is a real-time API and App dashboard for managing SQL database content. Access tokens from query strings are not redacted and are potentially exposed in system logs which may be persisted. The access token in req.query is not redacted when the LOGSTYLE is set to raw. If these logs are no...