Monthly
Fleet device management software versions prior to 4.81.1 allow malicious enrolled Windows devices to access Mobile Device Management (MDM) commands intended for other devices, potentially disclosing sensitive configuration data including WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. The vulnerability stems from improper authorization controls in Windows MDM command processing, affecting any organization using Fleet for Windows device management. Vendor-released patch: version 4.81.1.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in cifs-utils. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. No vendor patch available.
Element Android is an Android Matrix Client provided by Element. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.
Quarkus REST endpoints using field injection without CDI scope annotation leak request parameters across concurrent HTTP requests, enabling authenticated attackers to manipulate data, impersonate users, or access sensitive information belonging to other concurrent sessions. Red Hat has confirmed the vulnerability (CVE-2025-1247) with a CVSS score of 8.3, affecting Quarkus-based applications. The EPSS score of 0.18% (40th percentile) indicates relatively low predicted exploitation probability, and no public exploit identified at time of analysis.
Fleet device management software versions prior to 4.81.1 allow malicious enrolled Windows devices to access Mobile Device Management (MDM) commands intended for other devices, potentially disclosing sensitive configuration data including WiFi credentials, VPN secrets, and certificate payloads across the entire Windows fleet. The vulnerability stems from improper authorization controls in Windows MDM command processing, affecting any organization using Fleet for Windows device management. Vendor-released patch: version 4.81.1.
Zabbix Server and Proxy reuse JavaScript (Duktape) execution contexts across script items, JavaScript preprocessing, and webhooks for performance optimization, allowing non-super administrators to leak sensitive data about hosts they lack authorization to access through context variable persistence. The vulnerability enables information disclosure attacks where a regular administrator can access confidential monitoring data from restricted hosts by exploiting shared JavaScript execution environments. A patch has been released that makes built-in Zabbix JavaScript objects read-only, though global variable usage remains unsafe even after remediation.
Email content leakage in Lettermint Node.js SDK versions 1.5.0 and below allows local authenticated users to intercept sensitive email data when a single client instance sends multiple messages, as email properties are not properly cleared between sends. Applications using transactional email flows with reused client instances risk exposing recipient addresses and message content to unintended parties. The vulnerability has been patched in version 1.5.1.
Whisper Money versions before 0.1.5 contain an insecure direct object reference vulnerability that allows authenticated users to modify bank account balances belonging to other users. An attacker with valid credentials can exploit this to manipulate financial data across multiple accounts without authorization. A patch is available in version 0.1.5 and should be applied immediately.
OpenProject versions prior to 16.6.5 and 17.0.1 fail to properly validate session ownership in the session deletion endpoint, allowing authenticated users to forcibly log out arbitrary other users by iterating through sequential session IDs. An attacker with valid credentials can exploit the predictable session ID scheme via DELETE requests to /my/sessions/:id to terminate other users' sessions without authorization. No patch is currently available, and this vulnerability requires only valid authentication to exploit.
Spotipy is a Python library for the Spotify Web API. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
An issue was discovered in OPC cardsystems Webapp Aufwertung 2.1.0. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
A flaw was found in cifs-utils. Rated medium severity (CVSS 5.9), this vulnerability is no authentication required. No vendor patch available.
Element Android is an Android Matrix Client provided by Element. Rated medium severity (CVSS 5.1), this vulnerability is no authentication required, low attack complexity.
Quarkus REST endpoints using field injection without CDI scope annotation leak request parameters across concurrent HTTP requests, enabling authenticated attackers to manipulate data, impersonate users, or access sensitive information belonging to other concurrent sessions. Red Hat has confirmed the vulnerability (CVE-2025-1247) with a CVSS score of 8.3, affecting Quarkus-based applications. The EPSS score of 0.18% (40th percentile) indicates relatively low predicted exploitation probability, and no public exploit identified at time of analysis.