Path traversal in Linksys MR9600 and MX4200 firmware allows attackers with physical access to mount arbitrary USB drive partitions into the file system, potentially enabling root-level code execution. Public exploit code exists for this vulnerability, and no patch is currently available. Affected versions include MR9600 1.0.4.205530 and MX4200 1.0.13.210200.
Caddy versions prior to 2.11.1 fail to sanitize backslashes in file path matching, allowing attackers to bypass path-based security controls through specially crafted requests. The vulnerability affects systems with specific Caddy configurations and has public exploit code available. Exploitation requires network access with no authentication, resulting in limited information disclosure or modification of restricted resources.
Denial of service in New API's `/api/token/search` endpoint allows authenticated users to exhaust database resources through SQL wildcard injection in unescaped search parameters. An attacker can craft malicious search patterns that trigger expensive queries, causing service unavailability. Public exploit code exists for this medium-severity vulnerability affecting versions prior to 0.10.8-alpha.10.
OpenEXR versions 3.3.0-3.3.6 and 3.4.0-3.4.4 are vulnerable to a heap buffer overflow in file parsing due to improper integer handling when processing malformed EXR files, allowing attackers to trigger a denial of service through memory-mapped streams. Public exploit code exists for this vulnerability. Patched versions 3.3.7 and 3.4.5 are available.
Craft CMS versions 4.5.0 through 4.16.18 and 5.0.0 through 5.8.22 contain an SSRF bypass in GraphQL Asset mutations where IPv6-only hostnames bypass the security blocklist, allowing authenticated users with GraphQL asset editing permissions to perform server-side request forgery attacks. Public exploit code exists for this vulnerability, which is a regression of a previously patched SSRF issue. Authenticated users with appropriate GraphQL schema permissions can exploit this to access internal resources or perform requests to arbitrary IPv6 addresses.
Caddy versions prior to 2.11.1 allow unauthenticated cross-origin requests to the admin API when origin enforcement is disabled, enabling attackers to remotely reconfigure the server through malicious web content loaded in a victim's browser. Public exploit code exists for this vulnerability, which can be leveraged to modify HTTP server behavior and admin listener settings without user knowledge. The vulnerability affects Caddy and TLS implementations, with no patch currently available for affected versions.
DNS rebinding attacks in Craft CMS 4.5.0-RC1 through 4.16.18 and 5.0.0-RC1 through 5.8.22 allow authenticated attackers to bypass SSRF protections in GraphQL asset mutations by exploiting a Time-of-Check-Time-of-Use race condition between DNS validation and HTTP requests. Attackers with appropriate GraphQL schema permissions can access blocked IP addresses and internal resources that should be restricted. Public exploit code exists for this vulnerability, which represents a bypass of the previous CVE-2025-68437 fix.
Memory exhaustion denial of service in Astro 9.0.0 through 9.5.3 allows remote attackers to crash server processes by sending oversized POST requests to server action endpoints without size restrictions. The framework buffers entire request bodies into memory with no limits, enabling a single large request to exhaust heap memory on affected deployments. Public exploit code exists for this vulnerability, which is particularly impactful in containerized environments where repeated crashes trigger persistent restart loops.
Dinky versions up to 1.2.5 contain an authentication bypass in the OpenAPI endpoint handler that allows unauthenticated remote attackers to manipulate interceptor configuration. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.
Bit7z versions prior to 4.0.11 contain a path traversal vulnerability that allows arbitrary file writes outside the intended extraction directory when processing malicious archives through relative paths, absolute paths, or symbolic links. Applications using bit7z to extract untrusted archives are affected, enabling attackers to overwrite critical files with the privileges of the extraction process. Public exploit code exists for this vulnerability.
SQL injection in itsourcecode Document Management System 1.0 via the field1 parameter in /edtlbls.php enables unauthenticated remote attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network with minimal complexity.
Document Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).
E-Logbook With Health Monitoring System For Covid-19 versions up to 1.0 contains a security vulnerability (CVSS 7.3).
SQL injection in itsourcecode Event Management System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/index.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive data with confidentiality, integrity, and availability impact.
Piwigo is an open source photo gallery application for the web. In version 15.5.0 and likely earlier 15.x releases, the password reset functionality in Piwigo allows an unauthenticated attacker to determine whether a given username or email address exists in the system. [CVSS 5.3 MEDIUM]
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. [CVSS 5.3 MEDIUM]
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of the User Data Repository are affected by Improper Error Handling with Information Exposure. [CVSS 5.3 MEDIUM]
Information disclosure in free5GC UDR versions up to 1.4.1 allows remote attackers to obtain detailed internal parsing error messages through the NEF component's Nnef_PfdManagement service, enabling service fingerprinting and reconnaissance. Public exploit code exists for this vulnerability, and all deployments using the affected service are at risk. A patch is available in pull request 56 and should be applied immediately, as no application-level workarounds exist.
Pimcore is an Open Source Data & Experience Management Platform. [CVSS 4.9 MEDIUM]
Cryptopro Secure Disk contains a vulnerability that allows attackers to execute arbitrary code in the context of the root user and enables an attacker t (CVSS 6.8).
Synology Presto Client versions prior to 2.1.3-0672 are vulnerable to DLL hijacking during installation, enabling local attackers with user privileges to read or write arbitrary files by placing malicious libraries in the installer directory. The vulnerability requires user interaction and local access but grants high-impact capabilities including confidentiality and integrity violations. No patch is currently available.
Denial of service in Valkey-Bloom module allows authenticated attackers to crash the Valkey server by sending a specially crafted RESTORE command that triggers an unhandled assertion. The vulnerability exists because the module failed to set the IO_ERRORS flag during RDB parsing, causing the server to shut down instead of gracefully handling the malformed input. A security patch is available, and administrators can mitigate the issue by disabling the RESTORE command if not required.
Uncontrolled resource allocation in Wasmtime's WASI host interfaces allows authenticated guests to trigger denial of service on the host system by exhausting resources without proper limits. Affected versions prior to 24.0.6, 36.0.6, 40.0.4, 41.0.4, and 42.0.0 require explicit configuration to mitigate this issue, though Wasmtime 42.0.0 and later provide secure defaults. No patch is currently available for older versions, and resource exhaustion protections must be manually enabled.
Insufficient SQL function restrictions in Apache Superset before 4.1.2 allow authenticated users to execute sensitive database functions on ClickHouse engines that should have been blocked. An attacker with database access could leverage the incomplete DISALLOWED_SQL_FUNCTIONS list to bypass security controls and potentially extract or manipulate data. No patch is currently available for affected versions of Apache Superset, PostgreSQL, and related deployments.
Medium severity vulnerability in ImageMagick. The pcd coder lacks proper boundary checking when processing Huffman-coded data. The decoder contains an function that has an incorrect initialization that could cause an out of bounds read.
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 contain an integer overflow in the SUN image decoder that allows heap buffer overflow on 32-bit systems when processing specially crafted image files. Attackers can trigger this vulnerability remotely without authentication to cause denial of service or potentially achieve code execution. A patch is currently unavailable, leaving affected 32-bit installations at risk until updates are released.
ImageMagick's UIL and XPM image encoders fail to validate pixel index values before using them as array subscripts, allowing an attacker to craft malicious images that trigger out-of-bounds reads in HDRI builds. Exploitation can result in information disclosure or denial of service through process crashes. Versions prior to 7.1.2-15 and 6.9.13-40 are affected, and no patch is currently available.
Medium severity vulnerability in ImageMagick. A heap out-of-bounds read vulnerability exists in the `coders/dcm.c` module. When processing DICOM files with a specific configuration, the decoder loop incorrectly reads bytes per iteration. This causes the function to read past the end of the allocated buffer, potentially leading to a Denial of Service (crash) or Information Disclosure (leaking heap memory into the image).
Authenticated users in Apache Superset versions before 6.0.0 can access sensitive user information including password hashes and email addresses through the Tag endpoint API, which improperly exposes user objects without proper field filtering. An attacker with low-privilege credentials (such as Gamma role) can exploit this to retrieve authentication data that should remain hidden. The vulnerability only affects instances with the TAGGING_SYSTEM enabled, which is disabled by default.
Apache Superset before version 6.0.0 contains an authorization bypass in dataset management that allows authenticated users with write access to datasets to circumvent data access controls and query unauthorized information. An attacker can exploit this by modifying the SQL query of existing datasets to access restricted data that their role should not permit. No patch is currently available, leaving affected deployments vulnerable until upgrading to version 6.0.0.
Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. User...
Authenticated users in Apache Superset versions before 6.0.0 can execute write operations against PostgreSQL databases configured as read-only by crafting specially formatted SQL statements that evade validation checks. This allows an attacker with SQLLab access to perform unauthorized data modifications despite read-only protections being in place. No patch is currently available for affected versions.
Devolutions Server 2025.3.14.0 and earlier contains insufficient access control in REST API endpoints that enables authenticated view-only users to retrieve sensitive connection data they should not access. An attacker with basic authentication credentials could exploit this to gain unauthorized visibility into protected connection information, compromising confidentiality without requiring user interaction or elevated privileges.
Payload CMS prior to v3.75.0 contains a Server-Side Request Forgery vulnerability in its external file upload feature that allows authenticated users with upload collection permissions to access internal network resources by exploiting insufficient HTTP redirect validation. An attacker could retrieve sensitive response content from internal services accessible to the Payload server. A patch is available in version 3.75.0.
Apache Superset before version 6.0.0 contains a SQL injection vulnerability in the sqlExpression and where parameters that allows authenticated users with read access to extract sensitive data through error-based techniques. An attacker with valid credentials could exploit this to bypass query restrictions and access unauthorized database information. A patch is available in version 6.0.0 and later.
Imagemagick versions up to 7.1.2-15 is affected by loop with unreachable exit condition (infinite loop) (CVSS 6.2).
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 are vulnerable to denial of service when processing maliciously crafted image profiles containing invalid IPTC data, which triggers an infinite loop during IPTCTEXT writing operations. An attacker can exploit this by supplying a specially crafted image file to cause the application to hang or consume excessive resources. No patch is currently available for affected systems.
Medium severity vulnerability in ImageMagick. # Magick fails to check for circular references between two MSLs, leading to a stack overflow.
A cross-site scripting (XSS) vulnerability in a FileMaker WebDirect custom homepage could lead to unauthorized access and remote code execution. This vulnerability has been fully addressed in FileMaker Server 22.0.4 and FileMaker Server 21.1.7. [CVSS 6.1 MEDIUM]
NiceGUI versions prior to 3.8.0 are vulnerable to stored cross-site scripting (XSS) through multiple APIs that improperly handle user-controlled method names, allowing attackers to inject arbitrary JavaScript that executes in victims' browsers. The vulnerability stems from unsafe use of eval() and string interpolation in Element.run_method(), AgGrid.run_grid_method(), EChart.run_chart_method(), and related functions. A patch is available in version 3.8.0 and later.
Avideo versions prior to 21.0 allow authenticated attackers to inject malicious JavaScript through improperly sanitized Markdown links in video comments, enabling session hijacking, privilege escalation, and data theft when victims click the links. The vulnerability stems from unsafe Parsedown configuration that fails to block javascript: URI schemes. A patch is available in version 21.0.
Stored cross-site scripting in Binardat 10G08-0800GSM network switch firmware through version V300SP10260209 enables attackers to execute arbitrary JavaScript within authenticated user sessions via the web interface. An attacker with network access can inject malicious scripts that execute in the context of legitimate users, potentially leading to session hijacking, credential theft, or unauthorized configuration changes. No patch is currently available.
NATS Server versions prior to 2.11.2 and 2.12.3 fail to properly limit memory allocation during WebSocket compression, allowing unauthenticated attackers to trigger denial of service through compression bomb attacks that exhaust server memory. The vulnerability is exploitable pre-authentication since compression negotiation occurs before credential validation. A patch is available in versions 2.11.2 and 2.12.3.
Mastodon servers with the experimental FASP feature enabled are vulnerable to Server-Side Request Forgery (SSRF) attacks, allowing unauthenticated attackers to register accounts with arbitrary base URLs that force the server to make requests to internal or local addresses. While attackers cannot control the full request path or view responses, this exposure of internal systems to external manipulation could facilitate reconnaissance or attacks on backend infrastructure. Affected versions are 4.4.0-4.4.13 and 4.5.0-4.5.6; a patch is available.
ImageMagick versions prior to 7.1.2-15 and 6.9.13-40 allow local attackers to bypass the secure policy's stdin/stdout restrictions by using fd:<n> pseudo-filenames (e.g., fd:0, fd:1), enabling unauthorized reading and writing to standard streams. This vulnerability affects systems relying on ImageMagick's default security policies to prevent stream manipulation. No patch is currently available, though administrators can manually update their security policy configuration as a workaround.
Local privilege escalation in Genetec Update Service. An authenticated, low-privileged, Windows user could exploit this vulnerability to gain elevated privileges on the affected system. [CVSS 7.8 HIGH]
Local admin could to leak information from the Genetec Update Service configuration web page. An authenticated, admin privileged, Windows user could exploit this vulnerability to gain elevated privileges in the Genetec Update Service. [CVSS 4.2 MEDIUM]
Arbitrary code injection in ImageMagick's PostScript and HTML encoders allows attackers to inject malicious code that executes when files are processed by downstream applications like Ghostscript or web viewers. The vulnerability affects versions prior to 7.1.2-15 and 6.9.13-40 due to insufficient input sanitization in the ps and html coders. Users processing untrusted image files are at risk of code execution, though no patch is currently available.
Download of Code Without Integrity Check vulnerability in Microchip Time Provider 4100 allows Malicious Manual Software Update.This issue affects Time Provider 4100: before 2.5. [CVSS 4.1 MEDIUM]
A use-after-free vulnerability in Firefox and Thunderbird's JavaScript WebAssembly engine allows remote attackers to achieve information disclosure or data manipulation through a malicious webpage or email attachment that requires user interaction. Affected versions include Firefox below 148 and Thunderbird below 148, with no patch currently available. The vulnerability has a network attack vector with low complexity and carries a CVSS score of 5.4.