Linux kernel ublk subsystem suffers from a use-after-free vulnerability in partition scan operations where a race condition between device teardown and asynchronous partition scanning allows local attackers with user privileges to access freed memory, potentially causing denial of service or information disclosure. The vulnerability stems from improper reference counting of disk objects during concurrent operations, affecting all Linux systems with the vulnerable ublk driver. A patch is available to resolve this issue by implementing proper disk reference management in the partition scan worker.
In the Linux kernel, the following vulnerability has been resolved: btrfs: fix use-after-free warning in btrfs_get_or_create_delayed_node() Previously, btrfs_get_or_create_delayed_node() set the delayed_node's refcount before acquiring the root->delayed_nodes lock. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: net: dsa: properly keep track of conduit reference Problem description ------------------- DSA has a mumbo-jumbo of reference handling of the conduit net device and its kobject which, sadly, is just wrong and doesn't make sense. [CVSS 7.8 HIGH]
Linux kernel ARP implementation incorrectly assumes that dev_hard_header() does not modify the SKB header structure, leading to potential denial of service when the function pointer is changed. A local user with standard privileges can trigger a system crash or hang by exploiting this unsafe memory assumption during ARP packet creation. A patch is available to properly reinitialize the ARP pointer after the dev_hard_header() call.
The Linux kernel NFSv4 grace period handler contains a use-after-free vulnerability in the v4_end_grace function that can be triggered by local attackers with unprivileged access, allowing them to read or modify sensitive kernel memory or cause a denial of service. The vulnerability arises from improper synchronization between the grace period shutdown logic and the NFSv4 client tracking mechanism, which can result in memory being accessed after it has been freed. A patch is available to add proper locking that prevents concurrent access to the vulnerable code path.
In the Linux kernel, the following vulnerability has been resolved: RDMA/core: always drop device refcount in ib_del_sub_device_and_put() Since nldev_deldev() (introduced by commit 060c642b2ab8 ("RDMA/nldev: Add support to add/delete a sub IB device through netlink") grabs a reference using ib_device_get_by_index() before calling ib_del_sub_device_and_put(), we need to drop that reference before returning -EOPNOTSUPP error. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: gve: defer interrupt enabling until NAPI registration Currently, interrupts are automatically enabled immediately upon request. [CVSS 7.8 HIGH]
In the Linux kernel, the following vulnerability has been resolved: usb: phy: isp1301: fix non-OF device reference imbalance A recent change fixing a device reference leak in a UDC driver introduced a potential use-after-free in the non-OF case as the isp1301_get_client() helper only increases the reference count for the returned I2C device in the OF case. [CVSS 7.8 HIGH]
Remote code execution in Langflow's disk cache service allows authenticated attackers to execute arbitrary code by exploiting improper deserialization of untrusted data. The vulnerability affects Langflow installations and requires valid authentication credentials to exploit, enabling attackers to gain code execution within the service account context. No patch is currently available.
Blind SQL injection in Neoforum version 1.0 and earlier allows high-privileged attackers to execute arbitrary SQL commands over the network without user interaction, potentially compromising data confidentiality and integrity. The vulnerability stems from inadequate sanitization of user inputs in SQL queries, and no patch is currently available.
Anritsu ShockLine SCPI Race Condition Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Anritsu ShockLine. [CVSS 7.5 HIGH]
A WordPress plugin has a PHP Remote File Inclusion vulnerability (CWE-98) allowing unauthenticated remote code execution through crafted include paths.
DevsBlink EduBlink Core through version 2.0.7 contains a local file inclusion vulnerability in its PHP file handling that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters to bypass proper input validation and access sensitive system files. No patch is currently available for this vulnerability.
The Laurent theme for PHP versions 3.1 and earlier contains a local file inclusion vulnerability that allows authenticated attackers to read arbitrary files on the affected system. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive data outside the intended application directory. No patch is currently available for this vulnerability.
Laurent Core plugin for PHP through version 2.4.1 contains a local file inclusion vulnerability in its filename handling for include/require statements, allowing authenticated attackers to read arbitrary files from the affected system. With a CVSS score of 7.5, this vulnerability enables confidentiality and integrity compromise, though exploitation requires valid credentials and no patch is currently available.
Omnipress through version 1.6.6 contains a local file inclusion vulnerability in its PHP program that allows authenticated attackers to read arbitrary files on the server. An attacker with valid credentials can manipulate filename parameters in include/require statements to access sensitive files outside the intended directory. This vulnerability requires user interaction but poses significant risk to confidentiality with no available patch at this time.
8180 Ip Audio Alerter Firmware versions up to 5.5 contains a vulnerability that allows attackers to disclose sensitive information on affected installations of ALGO 8180 IP Audio A (CVSS 7.5).
The ALGO 8180 IP Audio Alerter web interface improperly exposes authentication cookies in HTTP response bodies, enabling unauthenticated remote attackers to steal sensitive credentials and gain unauthorized access to affected devices. This information disclosure vulnerability requires no authentication or user interaction to exploit and affects the device's web-based management interface. No patch is currently available for this vulnerability.
An unauthenticated information disclosure vulnerability exists in Newgen OmniDocs due to missing authentication and access control on the /omnidocs/GetListofCabinet API endpoint. [CVSS 7.5 HIGH]
Elastic Cloud Storage versions up to 3.8.1.7 is affected by cleartext transmission of sensitive information (CVSS 7.5).
Unauthenticated Server-Side Request Forgery (SSRF) in FOG 1.5.10.1754 and earlier allows remote attackers to read internal files and access local services by manipulating the url parameter in getversion.php when newService=1 is present. The vulnerability requires no authentication or user interaction and affects the confidentiality of sensitive data accessible from the affected system. No patch is currently available.
An information disclosure vulnerability exists in the /srvs/membersrv/getCashiers endpoint of the Aptsys gemscms backend platform thru 2025-05-28. This unauthenticated endpoint returns a list of cashier accounts, including names, email addresses, usernames, and passwords hashed using MD5. [CVSS 7.5 HIGH]
A null pointer dereference vulnerability in the Linux kernel's libceph library occurs when free_choose_arg_map() is called after a partial memory allocation failure, allowing a local attacker with low privileges to cause a denial of service. The vulnerability exists because the function does not validate pointers before dereferencing them during cleanup operations. A patch is available to add proper pointer checks and make the cleanup routine resilient to incomplete allocations.
A local privileged user can trigger a kernel panic in the Linux kernel's Ceph client by providing a maliciously corrupted incremental osdmap with an unexpected epoch value, causing a denial of service. The vulnerability stems from overzealous assertion logic that should instead gracefully reject invalid osdmap data. A patch is available to replace the fatal BUG_ON check with proper validation.
The The BuddyPress plugin for WordPress is vulnerable to arbitrary shortcode execution in all versions up to, and including, 14.3.3. This is due to the software allowing users to execute an action that does not properly validate a value before running do_shortcode. [CVSS 7.3 HIGH]
Discord Client's discord_rpc module improperly loads files from an unsecured search path, enabling local attackers with low-privilege code execution to escalate privileges and run arbitrary code with elevated user context. This vulnerability requires prior local code execution capability and affects systems running vulnerable Discord Client installations. No patch is currently available.
Langflow's PythonFunction component allows authenticated attackers with user interaction to inject and execute arbitrary Python code within application workflows, achieving remote code execution. The vulnerability affects Langflow deployments using Python-based AI/ML components, with exploitation feasibility depending on specific product configurations. No patch is currently available.
Reflected cross-site scripting (XSS) in Neoforum version 1.0 and earlier allows authenticated attackers to inject malicious scripts that execute in users' browsers when they interact with crafted links, potentially leading to session hijacking or credential theft. The vulnerability requires user interaction and authenticated access, limiting its immediate impact but still posing a risk in multi-user forum environments. No patch is currently available.
Improper permissions in the handler for the Custom URL Scheme in ToDesktop Builder v0.33.0 allows attackers with renderer-context access to invoke external protocol handlers without sufficient validation. [CVSS 7.1 HIGH]
npm cli contains an insecure module loading mechanism that enables local privilege escalation on Node.js installations. An attacker with low-privileged code execution can exploit this flaw to gain elevated privileges and execute arbitrary code with target user permissions. No patch is currently available for this vulnerability.