Monthly
SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite all subtitle titles across every video they own in a single HTTP request. Affected versions are all releases prior to 5.5.3 - #141 of the open-source video sharing platform maintained by MacWarrior. No public exploit exists and the vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism (a single % character) means any authenticated account could cause bulk subtitle data corruption against their own content.
CVE-2025-4232 is an improper neutralization of wildcards vulnerability in Palo Alto Networks GlobalProtect app for macOS that allows non-administrative users to escalate privileges to root through the log collection feature. With a CVSS score of 8.8 and requiring only low complexity remote network access with low privileges, this vulnerability presents a critical privilege escalation risk. The attack requires user interaction only at the network level (not UI) and affects the confidentiality, integrity, and availability of affected systems.
Laravel is a web application framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The Cloud MQTT service of the affected products supports wildcard topic subscription which could allow an attacker to obtain sensitive information from tapping the service communications. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators). Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
SQL wildcard character injection in ClipBucket v5's subtitle editing endpoint allows authenticated users to overwrite all subtitle titles across every video they own in a single HTTP request. Affected versions are all releases prior to 5.5.3 - #141 of the open-source video sharing platform maintained by MacWarrior. No public exploit exists and the vulnerability is not listed in CISA KEV, but the trivial exploitation mechanism (a single % character) means any authenticated account could cause bulk subtitle data corruption against their own content.
CVE-2025-4232 is an improper neutralization of wildcards vulnerability in Palo Alto Networks GlobalProtect app for macOS that allows non-administrative users to escalate privileges to root through the log collection feature. With a CVSS score of 8.8 and requiring only low complexity remote network access with low privileges, this vulnerability presents a critical privilege escalation risk. The attack requires user interaction only at the network level (not UI) and affects the confidentiality, integrity, and availability of affected systems.
Laravel is a web application framework. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.
The Cloud MQTT service of the affected products supports wildcard topic subscription which could allow an attacker to obtain sensitive information from tapping the service communications. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. No vendor patch available.
kubewarden-controller is a Kubernetes controller that allows you to dynamically register Kubewarden admission policies. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A wildcard expansion vulnerability in Palo Alto Networks Expedition allows an unauthenticated attacker to enumerate files on the host filesystem. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
Ruijie Reyee OS versions 2.206.x up to but not including 2.320.x could allow an attacker to subscribe to partial possible topics in Ruijie MQTT broker, and receive partial messages being sent to and. Rated high severity (CVSS 8.7), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An improper neutralization of matching symbols vulnerability in the Palo Alto Networks PAN-OS command line interface (CLI) enables authenticated administrators (including read-only administrators). Rated medium severity (CVSS 6.7), this vulnerability is low attack complexity. No vendor patch available.
Marinus Pfund, member of the AXIS OS Bug Bounty Program, has found the VAPIX API alwaysmulti.cgi was vulnerable for file globbing which could lead to resource exhaustion of the Axis device. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.
Sandro Poppi, member of the AXIS OS Bug Bounty Program, has found that the VAPIX APIs mediaclip.cgi and playclip.cgi was vulnerable for file globbing which could lead to a resource exhaustion attack. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.