THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — June 11, 2025

73 CVEs tracked today. 8 Critical, 28 High, 24 Medium, 4 Low.

CVE-2025-49710 CRITICAL CVSS 9.8
An integer overflow vulnerability exists in the OrderedHashTable component of Firefox's JavaScript engine, allowing remote attackers to achieve arbitrary code execution without requiring user interaction or elevated privileges. This critical flaw affects Firefox versions prior to 139.0.4 and carries a maximum CVSS score of 9.8, indicating severe real-world risk with network-based attack vectors requiring no user interaction.

Mozilla Integer Overflow Firefox Suse
CVE-2025-49709 CRITICAL CVSS 9.8
Critical memory corruption vulnerability in Firefox canvas operations that allows unauthenticated remote attackers to achieve arbitrary code execution with no user interaction required. Firefox versions prior to 139.0.4 are affected. The vulnerability has a near-perfect CVSS score of 9.8 due to network accessibility, low attack complexity, and complete compromise of confidentiality, integrity, and availability.

Mozilla Memory Corruption Firefox Suse
CVE-2025-41663 CRITICAL CVSS 9.8
Critical command injection vulnerability in u-link Management API that allows unauthenticated remote attackers positioned as man-in-the-middle (MITM) to inject arbitrary commands into WWH server responses, which are then executed with elevated privileges. The vulnerability requires clients to use insecure proxy configurations to exploit, resulting in complete system compromise (CVSS 9.8). While no public POC or KEV listing is available at publication, the attack vector is network-based with low complexity, making this a significant priority for organizations using u-link with proxy infrastructure.

Command Injection RCE Privilege Escalation Authentication Bypass
CVE-2025-40914 CRITICAL CVSS 9.8
Perl CryptX before version 0.087 contains an embedded version of the libtommath library vulnerable to integer overflow (CVE-2023-36328), enabling remote code execution with no authentication required. This affects all users of vulnerable CryptX versions; attackers can exploit the integer overflow to achieve complete system compromise including confidentiality, integrity, and availability breaches. The vulnerability carries a critical CVSS 9.8 score with network-accessible attack vector and no user interaction requirements.

Integer Overflow Suse
CVE-2025-40912 CRITICAL CVSS 9.8
A security vulnerability in CryptX (CVSS 9.8). Critical severity with potential for significant impact on affected systems. Vendor patch is available.

Information Disclosure
CVE-2025-32711 CRITICAL CVSS 9.3
CVE-2025-32711 is an AI command injection vulnerability in Microsoft 365 Copilot that enables unauthenticated network-based attacks to disclose sensitive information without user interaction. The vulnerability affects M365 Copilot deployments and allows attackers to inject malicious commands that bypass normal authorization controls. With a critical CVSS score of 9.3 and no authentication requirement, this poses an immediate risk to organizations using Copilot features; exploitation status and POC availability require confirmation through Microsoft security advisories.

Command Injection Microsoft Information Disclosure 365 Copilot
CVE-2025-30085 CRITICAL CVSS 9.2
A remote code execution vulnerability (CVSS 9.2). Critical severity with potential for significant impact on affected systems.

RCE Joomla PHP Privilege Escalation
CVE-2024-1244 CRITICAL CVSS 9.5
A remote code execution vulnerability in the OSSEC HIDS agent for Windows (CVSS 9.5) that allows an attacker. Critical severity with potential for significant impact on affected systems.

Microsoft RCE Windows
CVE-2025-49148 HIGH CVSS 7.3
DLL hijacking vulnerability in ClipShare Server for Windows (versions prior to 3.8.5) that allows local, non-privileged users to achieve arbitrary code execution and potential privilege escalation by placing malicious DLLs in the application directory. The vulnerability exploits Windows' default DLL search order, where the application directory is searched before system paths, and poses a reliable privilege escalation risk when ClipShare is run by elevated users. This is a local attack requiring write access to the installation directory.

Microsoft RCE Privilege Escalation Windows
CVE-2025-49146 HIGH CVSS 8.2
The PostgreSQL JDBC driver (pgjdbc) versions 42.7.4 through 42.7.6 contain an authentication bypass vulnerability where channel binding validation is incorrectly disabled, allowing man-in-the-middle attackers to intercept connections that administrators configured to require channel binding protection. Affected users running pgjdbc with channel binding set to 'required' (a non-default but security-conscious configuration) are vulnerable to credential interception and session hijacking despite believing their connections are protected. The vulnerability is fixed in version 42.7.7.

PostgreSQL Authentication Bypass Java Postgresql Jdbc Driver Redhat
CVE-2025-49091 HIGH CVSS 8.2
Remote code execution vulnerability in KDE Konsole before version 25.04.2 that exploits improper fallback behavior in URL scheme handler processing. When a user clicks on ssh://, telnet://, or rlogin:// URLs, Konsole attempts to execute the corresponding binary; if unavailable, it dangerously falls back to /bin/bash with the URL as an argument, allowing arbitrary command execution. The vulnerability requires user interaction (clicking a malicious link) but affects all Konsole users, potentially at scale through phishing or drive-by attacks.

RCE Redhat Suse
CVE-2025-48447 HIGH CVSS 7.1
A cross-site scripting vulnerability (CVSS 7.1). High severity vulnerability requiring prompt remediation.

XSS Drupal PHP Lightgallery
CVE-2025-48446 HIGH CVSS 8.8
CVE-2025-48446 is an Incorrect Authorization vulnerability (CWE-863) in the Drupal Commerce Alphabank Redirect module that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. The vulnerability affects Commerce Alphabank Redirect versions prior to 1.0.3, with a CVSS score of 8.8 indicating high severity across confidentiality, integrity, and availability impacts. No public indicators of active exploitation or proof-of-concept code are currently documented, but the high CVSS score and authorization bypass nature warrant immediate patching.

Authentication Bypass Drupal PHP Commerce Alphabank Redirect
CVE-2025-48445 HIGH CVSS 8.8
CVE-2025-48445 is an Incorrect Authorization vulnerability (CWE-863) in Drupal Commerce Eurobank (Redirect) payment module versions before 2.1.1 that allows unauthenticated attackers to misuse functionality through a network-based attack requiring user interaction. With a CVSS score of 8.8 and high impact across confidentiality, integrity, and availability, this vulnerability affects payment processing workflows in Drupal e-commerce installations. The vulnerability requires user interaction (UI:R) but no authentication (PR:N), making it exploitable by attackers who can socially engineer victims or intercept redirect flows in payment processing.

Authentication Bypass Drupal PHP
CVE-2025-41662 HIGH CVSS 8.8
Rejected reason: CVE-2025-41662 is considered redundant or unnecessary and thus should be withdrawn. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure
CVE-2025-41661 HIGH CVSS 8.8
Critical CSRF vulnerability affecting network devices that allows unauthenticated remote attackers to execute arbitrary commands with root privileges by exploiting missing CSRF protections. The vulnerability requires minimal user interaction and presents an exceptionally high real-world risk due to its network-accessible attack vector, root-level command execution capability, and lack of authentication requirements. Active exploitation status and proof-of-concept availability should be confirmed through CISA KEV and exploit databases, as this combination of factors (no auth + remote + root RCE) typically indicates urgent patch deployment.

CSRF RCE Privilege Escalation Authentication Bypass
CVE-2025-40915 HIGH CVSS 7.0
Mojolicious::Plugin::CSRF version 1.03 generates CSRF tokens using weak entropy sources (process ID, current time, and a single rand() call hashed with MD5), allowing attackers to predict or brute-force valid CSRF tokens and bypass CSRF protections. This affects Perl web applications using this specific plugin version. The vulnerability is not currently listed in CISA KEV, but the weak randomness makes token prediction feasible without requiring user interaction or high attack complexity.

CSRF Information Disclosure Suse
CVE-2025-32717 HIGH CVSS 8.4
A buffer overflow vulnerability in Heap-based buffer overflow in Microsoft Office Word (CVSS 8.4) that allows an unauthorized attacker. High severity vulnerability requiring prompt remediation.

Microsoft Buffer Overflow Windows RCE 365 Apps
CVE-2025-32465 HIGH CVSS 8.5
RSTickets! component for Joomla versions 1.9.12 through 3.3.0 contains a stored cross-site scripting (XSS) vulnerability that allows authenticated attackers to inject malicious scripts into the application, which are then executed in the browsers of other users who view the affected content. With a CVSS score of 8.5 and requiring low privilege level plus user interaction, this vulnerability poses a significant risk to Joomla installations using vulnerable RSTickets! versions, particularly in multi-user environments where attackers can escalate privileges or steal administrative credentials.

XSS Joomla PHP
CVE-2025-29756 HIGH CVSS 8.3
CVE-2025-29756 is a security vulnerability (CVSS 8.3). High severity vulnerability requiring prompt remediation.

Information Disclosure
CVE-2025-25032 HIGH CVSS 7.5
A remote code execution vulnerability (CVSS 7.5) that allows an authenticated user. High severity vulnerability requiring prompt remediation.

Denial Of Service IBM Cognos Analytics
CVE-2025-22874 HIGH CVSS 7.5
Certificate policy validation bypass in cryptographic verification routines where specifying ExtKeyUsageAny in VerifyOptions.KeyUsages inadvertently disables policy validation checks. This affects applications performing X.509 certificate chain verification, particularly those validating certificates containing policy constraint graphs (an uncommon but security-critical scenario). An attacker can present a malicious certificate chain that would normally be rejected due to policy violations, potentially enabling unauthorized certificate acceptance and compromising trust validation in PKI-dependent systems.

Golang Authentication Bypass Redhat Suse
CVE-2025-6002 HIGH CVSS 7.2
A remote code execution vulnerability (CVSS 7.2). High severity vulnerability requiring prompt remediation.

RCE
CVE-2025-6001 HIGH CVSS 8.3
Cross-Site Request Forgery (CSRF) vulnerability in VirtueMart's product image upload function that allows attackers to bypass CSRF token protection and perform unrestricted file uploads to the media manager. This high-severity vulnerability (CVSS 8.3) requires user interaction but poses significant risk to e-commerce platforms using affected VirtueMart versions, potentially enabling remote code execution through malicious file uploads. The vulnerability is network-accessible, requires no special privileges, and impacts confidentiality, integrity, and availability of affected systems.

CSRF File Upload
CVE-2025-5959 HIGH CVSS 8.8
Type confusion vulnerability in Google Chrome's V8 JavaScript engine that enables remote code execution within the Chrome sandbox prior to version 137.0.7151.103. An attacker can exploit this via a crafted HTML page by tricking a user into visiting a malicious website, achieving arbitrary code execution with high severity impact (CVSS 8.8). The vulnerability's network-based attack vector, low complexity, and requirement only for user interaction make it a practical exploitation target.

RCE Memory Corruption Google Chrome Suse
CVE-2025-5958 HIGH CVSS 8.8
Use-after-free vulnerability in Google Chrome's Media component that allows remote attackers to corrupt heap memory and achieve arbitrary code execution through a crafted HTML page. All Chrome versions prior to 137.0.7151.103 are affected. The vulnerability requires user interaction (clicking/viewing the malicious page) but can lead to complete system compromise with high impact on confidentiality, integrity, and availability.

Use After Free Memory Corruption Google RCE Chrome
CVE-2025-5687 HIGH CVSS 7.8
Local privilege escalation vulnerability in Mozilla VPN for macOS that allows an authenticated local user to escalate privileges from normal user to root. This affects Mozilla VPN versions below 2.28.0 on macOS exclusively. An attacker with local access can exploit this without user interaction to gain complete system control, making it a critical risk for multi-user systems or compromised local accounts.

Mozilla Privilege Escalation macOS Vpn
CVE-2025-5395 HIGH CVSS 8.8
The WordPress Automatic Plugin (all versions up to 3.115.0) contains an arbitrary file upload vulnerability in core.php due to insufficient file type validation, allowing authenticated attackers with Author-level or higher privileges to upload malicious files and potentially achieve remote code execution. This is a high-severity vulnerability (CVSS 8.8) affecting a widely-deployed WordPress plugin; real-world exploitation requires valid WordPress credentials at Author level or above, but successful exploitation enables complete server compromise.

WordPress RCE PHP Privilege Escalation
CVE-2025-4922 HIGH CVSS 8.1
CVE-2025-4922 is a security vulnerability (CVSS 8.1). High severity vulnerability requiring prompt remediation.

Information Disclosure Nomad Suse
CVE-2025-4799 HIGH CVSS 7.2
WP-DownloadManager plugin for WordPress versions up to 1.68.10 contains an arbitrary file deletion vulnerability (CVE-2025-4799) that allows authenticated administrators to delete any file on the server without directory restrictions. When paired with CVE-2025-4798, attackers can delete critical files like wp-config.php, leading to remote code execution. The vulnerability requires high-privilege administrative access, resulting in a CVSS 7.2 score with high confidentiality, integrity, and availability impact.

WordPress PHP RCE Wp Downloadmanager
CVE-2025-4315 HIGH CVSS 8.8
CubeWP - All-in-One Dynamic Content Framework plugin for WordPress versions up to 1.1.23 contains a privilege escalation vulnerability that allows authenticated attackers with Subscriber-level access to elevate their privileges to administrator through arbitrary user meta manipulation. The vulnerability exploits improper access controls on the update_user_meta() function, enabling account takeover and full site compromise. No active exploitation in the wild has been confirmed at this time, but the low attack complexity and high impact make this a critical remediation priority.

WordPress Privilege Escalation PHP Cubewp
CVE-2025-4275 HIGH CVSS 7.8
Critical Secure Boot bypass vulnerability in UEFI firmware affecting systems with improper digital signature verification in the NVRAM variable validation process. Attackers with local access and low privileges can create malicious non-authenticated NVRAM variables to bypass signature verification mechanisms, enabling execution of arbitrary signed UEFI code and circumventing Secure Boot protections. This vulnerability requires local access and non-trivial complexity but impacts core boot security; real-world exploitation likelihood and active KEV status are critical factors pending vendor disclosure.

RCE Privilege Escalation Authentication Bypass
CVE-2025-3302 HIGH CVSS 7.2
The Xagio SEO plugin for WordPress contains a Stored Cross-Site Scripting (XSS) vulnerability in versions up to 7.1.0.16 that allows unauthenticated attackers to inject malicious scripts via the HTTP_REFERER parameter. When users access pages containing injected payloads, the scripts execute in their browsers, potentially enabling session hijacking, credential theft, or malware distribution. The vulnerability was only partially patched in version 7.1.0.0, indicating that complete mitigation requires upgrading to a version beyond 7.1.0.16.

WordPress XSS PHP
CVE-2024-9062 HIGH CVSS 7.8
Local privilege escalation vulnerability in Archify's privileged helper tool (com.oct4pie.archifyhelper) that fails to validate client code signatures, entitlements, or signing flags over XPC. Any local process can invoke the helper to execute arbitrary file operations (deletion, permission changes) with root privileges. With a CVSS score of 7.8 and CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H, this vulnerability requires local access and low privileges but enables complete system compromise; KEV status, EPSS score, patch availability, and POC status are not provided in available intelligence sources.

Apple Privilege Escalation macOS
CVE-2024-7457 HIGH CVSS 7.8
Privilege escalation vulnerability in the ws.stash.app.mac.daemon.helper tool on macOS that allows unprivileged local users to invoke privileged operations via XPC by exploiting improper authorization validation. The helper incorrectly uses its own root context to validate authorization rather than the client's, enabling attackers to modify system-wide network proxy settings (SOCKS, HTTP, HTTPS) and perform man-in-the-middle attacks. With a CVSS score of 7.8 and low attack complexity, this vulnerability presents significant risk to macOS systems running affected versions of the Stash application.

Apple macOS Privilege Escalation
CVE-2024-1243 HIGH CVSS 7.2
CVE-2024-1243 is an improper input validation vulnerability in Wazuh agent for Windows (versions prior to 4.8.0) that allows attackers with control over the Wazuh server or possession of agent keys to redirect agents to malicious UNC paths, resulting in NetNTLMv2 hash leakage. The leaked hash can be relayed for remote code execution or abused for privilege escalation to SYSTEM level via AD CS certificate forging. This vulnerability represents a critical supply-chain/credential-leakage risk for Windows environments using Wazuh, though exploitation requires elevated privileges (high PR requirement) and knowledge of agent keys or server compromise.

Microsoft RCE Wazuh Windows
CVE-2025-49150 MEDIUM CVSS 5.9
Cursor is a code editor built for programming with AI. Prior to 0.51.0, by default, the setting json.schemaDownload.enable was set to True. This means that by writing a JSON file, an attacker can trigger an arbitrary HTTP GET request that does not require user confirmation. Since the Cursor Agent can edit JSON files, this means a malicious agent, for example, after a prompt injection attack already succeeded, could trigger a GET request to an attacker controlled URL, potentially exfiltrating other data the agent may have access to. This vulnerability is fixed in 0.51.0.

Information Disclosure
CVE-2025-48448 MEDIUM CVSS 6.5
Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation.This issue affects Admin Audit Trail: from 0.0.0 before 1.0.5.

Denial Of Service Admin Audit Trail Drupal
CVE-2025-48444 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Authentication Bypass Quick Node Block Drupal
CVE-2025-48013 MEDIUM CVSS 5.3
Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.

Authentication Bypass Quick Node Block Drupal
CVE-2025-35941 MEDIUM CVSS 5.5
A security vulnerability in A password (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-32466 MEDIUM CVSS 6.7
A SQL injection vulnerability in RSMediaGallery! component 1.7.4 - 2.1.7 for Joomla was discovered. The issue occurs within the dashboard component, where user-supplied input is not properly sanitized before being stored and rendered. An attacker can inject malicious JavaScript code into text fields or other input points, which is subsequently executed in the browser of any user who clicks on the crafted text in the dashboard.

SQLi Joomla
CVE-2025-30675 MEDIUM CVSS 4.7
In Apache CloudStack, a flaw in access control affects the listTemplates and listIsos APIs. A malicious Domain Admin or Resource Admin can exploit this issue by intentionally specifying the 'domainid' parameter along with the 'filter=self' or 'filter=selfexecutable' values. This allows the attacker to gain unauthorized visibility into templates and ISOs under the ROOT domain. A malicious admin can enumerate and extract metadata of templates and ISOs that belong to unrelated domains, violating isolation boundaries and potentially exposing sensitive or internal configuration details. This vulnerability has been fixed by ensuring the domain resolution strictly adheres to the caller's scope rather than defaulting to the ROOT domain. Affected users are recommended to upgrade to Apache CloudStack 4.19.3.0 or 4.20.1.0.

Apache Information Disclosure Cloudstack
CVE-2025-26412 MEDIUM CVSS 6.8
CVE-2025-26412 is a security vulnerability (CVSS 6.8) that allows an attacker. Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-26383 MEDIUM CVSS 6.3
A security vulnerability in The (CVSS 6.3). Remediation should follow standard vulnerability management procedures.

Microsoft Information Disclosure Windows
CVE-2025-5986 MEDIUM CVSS 6.5
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.

Microsoft Mozilla Information Disclosure Ubuntu Debian
CVE-2025-5144 MEDIUM CVSS 6.4
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress XSS The Events Calendar PHP
CVE-2025-4798 MEDIUM CVSS 4.9
The WP-DownloadManager plugin for WordPress is vulnerable to arbitrary file read in all versions up to, and including, 1.68.10. This is due to a lack of restriction on the directory an administrator can select for storing downloads. This makes it possible for authenticated attackers, with Administrator-level access and above, to download and read any file on the server, including system and configuration files.

WordPress Information Disclosure Wp Downloadmanager PHP
CVE-2025-4673 MEDIUM CVSS 6.8
Proxy-Authorization and Proxy-Authenticate headers persisted on cross-origin redirects potentially leaking sensitive information.

Information Disclosure Ubuntu Debian Redhat Suse
CVE-2025-4666 MEDIUM CVSS 6.4
The Zotpress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nickname’ parameter in all versions up to, and including, 7.3.15 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above,...

WordPress XSS
CVE-2025-4605 MEDIUM CVSS 6.6
A maliciously crafted .usdc file, when loaded through Autodesk Maya, can force an uncontrolled memory allocation vulnerability. A malicious actor may leverage this vulnerability to cause a denial-of-service (DoS), or cause data corruption.

Information Disclosure Universal Scene Description Maya
CVE-2025-4573 MEDIUM CVSS 4.1
Mattermost versions 10.7.x <= 10.7.1, 10.6.x <= 10.6.3, 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly validate LDAP group ID attributes, allowing an authenticated administrator with PermissionSysconsoleWriteUserManagementGroups permission to execute LDAP search filter injection via the PUT /api/v4/ldap/groups/{remote_id}/link API when objectGUID is configured as the Group ID Attribute.

Ldap Code Injection Debian Mattermost Server Suse
CVE-2025-3473 MEDIUM CVSS 6.7
CVE-2025-3473 is a security vulnerability (CVSS 6.7) that allows a local privileged user. Remediation should follow standard vulnerability management procedures.

Privilege Escalation IBM Guardium Data Protection
CVE-2025-1055 MEDIUM CVSS 5.6
A vulnerability in the K7RKScan.sys driver, part of the K7 Security Anti-Malware suite, allows a local low-privilege user to send crafted IOCTL requests to terminate a wide range of processes running with administrative or system-level privileges, with the exception of those inherently protected by the operating system. This flaw stems from missing access control in the driver's IOCTL handler, enabling unprivileged users to perform privileged actions in kernel space. Successful exploitation can lead to denial of service by disrupting critical services or privileged applications.

Denial Of Service Authentication Bypass
CVE-2025-0923 MEDIUM CVSS 5.3
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 stores source code on the web server that could aid in further attacks against the system.

Information Disclosure IBM Cognos Analytics
CVE-2025-0917 MEDIUM CVSS 5.5
IBM Cognos Analytics 11.2.0, 11.2.1, 11.2.2, 11.2.3, 11.2.4, 12.0.0, 12.0.1, 12.0.2, 12.0.3, and 12.0.4 is vulnerable to stored cross-site scripting. This vulnerability allows a privileged user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.

XSS IBM Cognos Analytics
CVE-2025-0913 MEDIUM CVSS 5.5
os.OpenFile(path, os.O_CREATE|O_EXCL) behaved differently on Unix and Windows systems when the target path was a dangling symlink. On Unix systems, OpenFile with O_CREATE and O_EXCL flags never follows symlinks. On Windows, when the target path was a symlink to a nonexistent location, OpenFile would create a file in that location. OpenFile now always returns an error when the O_CREATE and O_EXCL flags are both set and the target path is a symlink.

Microsoft Information Disclosure Ubuntu Debian Go
CVE-2025-0163 MEDIUM CVSS 5.3
CVE-2025-0163 is a security vulnerability (CVSS 5.3) that allows a remote attacker. Remediation should follow standard vulnerability management procedures.

Docker Information Disclosure IBM Security Verify Access Security Verify Access Docker
CVE-2024-35295 MEDIUM CVSS 6.1
A vulnerability has been identified in Perfect Harmony GH180 (All versions >= V8.0 < V8.3.3 with NXGPro+ controller manufactured between April 2020 to April 2025). The maintenance connection of affected devices fails to protect access to the device's control unit configuration. This could allow an attacker with physical access to the maintenance connection's door port to perform arbitrary configuration changes.

Authentication Bypass
CVE-2024-8270 MEDIUM CVSS 5.5
A remote code execution vulnerability in macOS Rocket.Chat application (CVSS 5.5). Remediation should follow standard vulnerability management procedures.

Apple Authentication Bypass macOS
CVE-2025-49793 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49792 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49791 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49790 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49789 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49788 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49787 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49786 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-49785 None
Rejected reason: Not used. No vendor patch available.

Information Disclosure
CVE-2025-5991 LOW CVSS 2.1
There is a "Use After Free" vulnerability in Qt's QHttp2ProtocolHandler in the QtNetwork module. This only affects HTTP/2 handling, HTTP handling is not affected by this at all. This happens due to a race condition between how QHttp2Stream uploads the body of a POST request and the simultaneous handling of HTTP error responses. This issue only affects Qt 6.9.0 and has been fixed for Qt 6.9.1.

Use After Free Denial Of Service Memory Corruption Ubuntu Debian
CVE-2025-4128 LOW CVSS 3.1
Mattermost versions 10.5.x <= 10.5.4, 9.11.x <= 9.11.13 fail to properly restrict API access to team information, allowing guest users to bypass permissions and view information about public teams they are not members of via a direct API call to /api/v4/teams/{team_id}.

Authentication Bypass Debian
CVE-2025-1699 LOW CVSS 2.8
An incorrect default permissions vulnerability was reported in the MotoSignature application that could result in unauthorized access.

Privilege Escalation Authentication Bypass
CVE-2025-1698 LOW CVSS 2.8
Null pointer exception vulnerabilities were reported in the fingerprint sensor service that could allow a local attacker to cause a denial of service.

Null Pointer Dereference Denial Of Service

Today's Vulnerabilities Vulnerabilities