Weblate is a web based localization tool. In versions prior to 5.17, the ZIP download feature didn't verify downloaded files, potentially following symlinks outside the repository. This issue has been fixed in version 5.17.
### Summary The Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters. ### Details Velbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities. ```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java @Override public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) { return executorService.submit(() -> { Document xmlDoc; try { String xmlStr = new String(fileData, StandardCharsets.UTF_8); LOG.info("Parsing VELBUS project file"); xmlDoc = DocumentBuilderFactory .newInstance() .newDocumentBuilder() .parse(new InputSource(new StringReader(xmlStr))); ``` Expanded `Caption` content is propagated into created asset names: ```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java String name = module.getElementsByTagName("Caption").item(0).getTextContent(); name = isNullOrEmpty(name) ? deviceType.toString() : name; // TODO: Use device specific asset types Asset<?> device = new ThingAsset(name); ``` ### PoC 1. Log in to a realm with a user that can call Velbus asset import. 2. Create/select a Velbus TCP Agent in that same realm. 3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file. 3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters. ```xml <?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE velbus [ <!ENTITY xxe SYSTEM "file:///etc/passwd"> ]> <Project> <Module type="VMB1RY" address="01" build="00" serial="LAB"> <Caption>&xxe;</Caption> </Module> </Project> ``` As long as the file content is under 1023 characters, the exploit will succeed. <img width="1200" height="662" alt="image" src="https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b" /> If the file content reaches the limit, an error is thrown. <img width="1200" height="630" alt="image" src="https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429" /> ### Impact - **Type:** XML External Entity (XXE) - **Affected:** Deployments exposing Velbus import to authenticated users with import access - **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in WC Lovers WCFM Marketplace allows SQL Injection.This issue affects WCFM Marketplace: from n/a through 3.7.1.
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in bdthemes Element Pack Elementor Addons bdthemes-element-pack-lite allows Blind SQL Injection.This issue affects Element Pack Elementor Addons: from n/a through <= 8.4.2.
An issue in the file handling logic of the component download.php of SAC-NFe v2.0.02 allows attackers to execute a directory traversal and read arbitrary files from the system via a crafted GET request.
Remote code execution in Google Chrome on Android versions prior to 147.0.7727.101 is possible through a use-after-free vulnerability in the Payments feature. Attackers who successfully convince users to perform specific UI interactions on a malicious webpage can achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability requires high attack complexity and user interaction (CVSS:3.1/AV:N/AC:H/PR:N/UI:R), indicating social engineering is necessary. Google has released Chrome 147.0.7727.101 to address this issue. No evidence of active exploitation (not in CISA KEV) or public proof-of-concept code has been identified at time of analysis.
Out-of-bounds read in Google Chrome's media component (versions prior to 147.0.7727.101) enables remote code execution when attackers convince users to perform specific UI interactions on a malicious HTML page. Google rated this high severity and released Chrome 147.0.7727.101 as a fix. No active exploitation confirmed via CISA KEV at time of analysis, though CVSS 7.5 reflects significant impact if user interaction prerequisite is met. The UI gesture requirement and high attack complexity (AC:H) reduce automated exploitation risk compared to interaction-free vulnerabilities.
Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials.
Remote validation bypass in Fastify 5.3.2+ allows unauthenticated attackers to bypass per-content-type body schema validation by prepending a single space character to the Content-Type HTTP header. Applications using schema.body.content for request validation accept malformed or malicious payloads that should be rejected, enabling data integrity violations. This regression was introduced by the fix for CVE-2025-32442. EPSS data not available; no confirmed active exploitation (CISA KEV) or public exploit code identified at time of analysis. Affects Fastify web framework version 5.3.2 through 5.8.4.
Uncontrolled Resource Consumption in Bosch VMS Central Server in Bosch VMS 12.0.1 allows attackers to consume excessive amounts of disk space via network interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Connection slot exhaustion in Deadwood (MaraDNS 3.5.0036) allows remote unauthenticated attackers to cause denial of service by triggering lookups for zones with unresolvable authoritative nameserver addresses. This resource exhaustion vulnerability (CWE-670) has CVSS 7.5 severity and EPSS data indicates low exploitation probability. No public exploit identified at time of analysis, though the attack mechanism appears straightforward given the network-accessible attack vector with low complexity.
CentSDR commit e40795 was discovered to contain a stack overflow in the "Thread1" function.
Missing Authorization vulnerability in Plisio Accept Cryptocurrencies with Plisio allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Accept Cryptocurrencies with Plisio: from n/a through 2.0.5.
Apache::API::Password versions through v0.5.2 for Perl can generate insecure random values for salts. The _make_salt and _make_salt_bcrypt methods will attept to load Crypt::URandom and then Bytes::Random::Secure to generate random bytes for the salt. If those modules are unavailable, it will simply return 16 bytes generated with Perl's built-in rand function. The rand function is unsuitable for cryptographic use. These salts are used for password hashing.
Nordic Semiconductor IronSide SE for nRF54H20 before 23.0.2+17 has an Algorithmic complexity issue.
The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue.
Git for Windows is the Windows port of Git. Versions prior to 2.53.0.windows.3 do not have protections that prevent attackers from obtaining a user's NTLM hash. The NTLM hash can be obtained by tricking users into cloning a malicious repository, or checking out a malicious branch, that accesses an attacker-controlled server. By default, NTLM authentication does not need any user interaction. By brute-forcing the NTLMv2 hash (which is expensive, but possible), credentials can be extracted. This issue has been fixed in version 2.53.0.windows.3.
OpenProject is an open-source project management application. In versions prior to 17.3.0, 2FA OTP verification in the confirm_otp action of the two_factor_authentication module has no rate limiting, lockout mechanism, or failed-attempt tracking. The existing brute_force_block_after_failed_logins setting only counts password login failures and does not apply to the 2FA verification stage, and neither the fail_login nor stage_failure methods increment any counter, lock the account, or add any delay. With the default TOTP drift window of ±60 seconds allowing approximately 5 valid codes at any time, an attacker who knows a user's password can brute-force the 6-digit TOTP code at roughly 5-10 attempts per second with an expected completion time of approximately 11 hours. The same vulnerability applies to backup code verification. This effectively allows complete 2FA bypass for any account where the password is known. This issue has been fixed in version 17.3.0.
Jaaz 1.0.30 contains a remote code execution vulnerability in its MCP STDIO command execution handling. A remote attacker can send crafted network requests to the network-accessible Jaaz application, causing attacker-controlled commands to be executed on the server. Successful exploitation results in arbitrary command execution within the context of the Jaaz service, potentially allowing full compromise of the affected system.
HP System Optimizer might potentially be vulnerable to escalation of privilege. HP is releasing an update to mitigate this potential vulnerability.
Stored XSS in Accessibly WordPress plugin (≤3.0.3) allows unauthenticated attackers to inject malicious JavaScript executed by all site visitors via unprotected REST API endpoints. Two endpoints (/otm-ac/v1/update-widget-options and /otm-ac/v1/update-app-config) lack authentication checks (permission_callback set to __return_true), enabling attackers to modify the widgetSrc option with a URL pointing to attacker-controlled scripts. The malicious URL is stored unsanitized in WordPress options and
Stored Cross-Site Scripting in Quick Interest Slider plugin for WordPress (versions ≤3.1.5) allows unauthenticated remote attackers to inject malicious scripts via unsanitized 'loan-amount' and 'loan-period' parameters. Injected scripts execute in victim browsers when accessing compromised pages, enabling session hijacking, credential theft, or malicious redirects. CVSS 7.2 with network-accessible, low-complexity attack vector (AV:N/AC:L/PR:N) and scope change (S:C) indicates significant cross-tenant impact. No public exploit identified at time of analysis, though exploitation requires minimal technical sophistication due to unauthenticated attack surface.
Stored Cross-Site Scripting in Token of Trust WordPress plugin versions ≤3.32.3 allows unauthenticated remote attackers to inject malicious scripts via the unsanitized 'description' parameter, achieving persistent code execution in victim browsers with changed security context (CVSS scope changed). CVSS 7.2 with network attack vector and no authentication required. No public exploit identified at time of analysis, but EPSS data not provided to assess exploitation probability.
In Splunk MCP Server app versions below 1.0.3 , a user who holds a role with access to the Splunk `_internal` index or possesses the high-privilege capability `mcp_tool_admin` could view users session and authorization tokens in clear text.<br><br>The vulnerability would require either local access to the log files or administrative access to internal indexes, which by default only the admin role receives. <br><br>Review roles and capabilities on your instance and restrict internal index access to administrator-level roles. See [Define roles on the Splunk platform with capabilities](https://docs.splunk.com/Documentation/Splunk/latest/Security/Rolesandcapabilities) and [Connecting to MCP Server and Admin settings](https://help.splunk.com/en/splunk-enterprise/mcp-server-for-splunk-platform/connecting-to-mcp-server-and-admin-settings) in the Splunk documentation for more information.
Privilege escalation in Nozomi Networks Guardian and CMC Threat Intelligence module allows authenticated view-only users to perform administrative actions, including modifying or deleting threat intelligence rules. With CVSS 8.1 (High) driven by high integrity and availability impact, this access control bypass (CWE-863) enables low-privileged users to alter critical security configurations remotely. No public exploit identified at time of analysis, though EPSS data unavailable. Authentication requirements lower the barrier only slightly, as compromised low-privilege accounts are common in enterprise environments.
In Splunk Enterprise versions below 10.2.1, 10.0.5, 9.4.10, and 9.3.11, and Splunk Cloud Platform versions below 10.4.2603.0, 10.3.2512.5, 10.2.2510.9, 10.1.2507.19, 10.0.2503.13, and 9.3.2411.127, a low-privileged user that does not hold the `admin` or `power` Splunk roles could potentially perform a Remote Code Execution (RCE) by uploading a malicious file to the `$SPLUNK_HOME/var/run/splunk/apptemp` directory due to improper handling and insufficient isolation of temporary files within the `apptemp` directory.
Stored Cross-Site Scripting (XSS) in Nozomi Networks Guardian and CMC allows authenticated attackers with custom field privileges to inject malicious JavaScript payloads through the Assets and Nodes custom field functionality. When victims view affected pages, the XSS executes with high integrity and availability impact due to changed scope (CVSS S:C), enabling unauthorized actions including data modification and service disruption. No public exploit identified at time of analysis, though the attack complexity is low (AC:L) once custom field access is obtained.
During an internal security assessment, a potential vulnerability was discovered in Lenovo Software Fix, that during installation could allow a local authenticated user to execute code with elevated privileges.