Remote Spark SparkView RCE

net: do not pass flow_id to set_rps_cpu()

tcp: fix potential race in tcp_v6_syn_recv_sock()

ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data()

ksmbd: fix signededness bug in smb_direct_prepare_negotiation()

dlm: validate length in dlm_search_rsb_tree

ext4: handle wraparound when searching for blocks for indirect mapped blocks

electerm has Command Injection Vulnerability via runLinux function

electerm has Command Injection Vulnerability via runMac function

Command injection in Dashboard Server interface

Unvalidated shell.openExternal in electerm allows arbitrary protocol execution via terminal link click

electerm: dangerous code can be run through links or command line

netfilter: nft_set_pipapo_avx2: don't return non-matching entry on expiry

LiteLLM: SQL injection in Proxy API key verification

Weak credentials vulnerability in the CashDro 3 web administration panel

DrayTek Vigor 2960 < 1.5.1.4 OS Command Injection via mainfunction.cgi

netconsole: avoid OOB reads, msg is not nul-terminated

btrfs: tracepoints: get correct superblock from dentry in event btrfs_sync_file()

net: ioam6: fix OOB and missing lock

dcache: Limit the minimal number of bucket to two

net: ethernet: ec_bhf: Fix dma_free_coherent() dma handle

9p/xen: protect xen_9pfs_front_free against concurrent calls

smb: client: prevent races in ->query_interfaces()

net: wan: farsync: Fix use-after-free bugs caused by unfinished tasklets

cifs: Fix locking usage for tcon fields

xfs: delete attr leaf freemap entries when empty

wifi: rtw89: pci: validate release report content before using for RTL8922DE

wifi: iwlwifi: fix 22000 series SMEM parsing

xfs: fix freemap adjustments when adding xattrs to leaf blocks

wifi: wl1251: validate packet IDs before indexing tx_frames

fs/smb/client: fix out-of-bounds read in cifs_sanitize_prepath

wifi: brcmfmac: validate bsscfg indices in IF events

UltraDAG: Smart Account Spending Policy Bypass via Pockets

OpenLearnX has Critical Remote Code Execution Through Python Sandbox Escape via Code Execution Environment

User Frontend: AI Powered Frontend Posting, User Directory, Profile, Membership & User Registration <= 4.3.1 - Authenticated (Subscriber+) PHP Object Injection

zrok: WebDAV drive backend follows symlinks outside DriveRoot, enabling host filesystem read/write

LiteLLM: Authenticated command execution via MCP stdio test endpoints

xfrm6: fix uninitialized saddr in xfrm6_get_saddr()

LiteLLM: Server-Side Template Injection in /prompts/test endpoint

Weak credentials vulnerability in the CashDro 3 web administration panel

PredatorSense V3: Local Privilege Escalation (LPE) vulnerability

electerm: Path traversal in electerm runWidget leads to arbitrary code execution

mailbox: mchp-ipc-sbi: fix out-of-bounds access in mchp_ipc_get_cluster_aggr_irq()

netfilter: nf_conntrack_h323: fix OOB read in decode_choice()

netfilter: xt_tcpmss: check remaining length before reading optlen

Bluetooth: L2CAP: Fix missing key size check for L2CAP_LE_CONN_REQ

Apache CloudStack: MinIO policy remains intact on bucket deletion

KVM: nSVM: Always use vmcb01 in VMLOAD/VMSAVE emulation

electerm: RCE via malicious SSH server filename in openFileWithEditor

ALSA: usb-audio: Add sanity check for OOB writes at silencing

dm: clear cloned request bio pointer when last clone bio completes

media: chips-media: wave5: Fix Null reference while testing fluster

alpha: fix user-space corruption during memory compaction

media: qcom: camss: vfe: Fix out-of-bounds access in vfe_isr_reg_update()

vhost: move vdpa group bound check to vhost_vdpa

drm/amdgpu: Refactor amdgpu_gem_va_ioctl for Handling Last Fence Update and Timeline Management v4

drm/atmel-hlcdc: fix use-after-free of drm_crtc_commit after release

media: verisilicon: AV1: Fix tile info buffer size

KVM: x86: Add SRCU protection for reading PDPTRs in __get_sregs2()

LoongArch: Make cpumask_of_node() robust against NUMA_NO_NODE

PCI: Fix pci_slot_trylock() error handling

media: mtk-mdp: Fix error handling in probe function

drm/amdkfd: Fix out-of-bounds write in kfd_event_page_set()

net: usb: kaweth: remove TX queue manipulation in kaweth_set_rx_mode

procfs: fix possible double mmput() in do_procmap_query()

xfs: remove xfs_attr_leaf_hasname

perf/arm-cmn: Reject unsupported hardware configurations

RDMA/umem: Fix double dma_buf_unpin in failure path

ALSA: mixer: oss: Add card disconnect checkpoints

RDMA/irdma: Fix double free related to rereg_user_mr

netfilter: ctnetlink: ensure safe access to master conntrack

HID: roccat: fix use-after-free in roccat_report_event

cachefiles: fix incorrect dentry refcount in cachefiles_cull()

xsk: tighten UMEM headroom validation to account for tailroom and min frame

xfrm: Wait for RCU readers during policy netns exit

netfilter: nfnetlink_queue: make hash table per queue

crypto: af_alg - Fix page reassignment overflow in af_alg_pull_tsgl

ocfs2: validate inline data i_size during inode read

ocfs2: fix out-of-bounds write in ocfs2_write_end_inline

eventpoll: defer struct eventpoll free to RCU grace period

bpf: Reset register ID for BPF_END value tracking

xfs: don't irele after failing to iget in xfs_attri_recover_work

netfilter: nft_ct: drop pending enqueued packets on removal

Heimdall: Authorization bypass via path normalization mismatch

Heimdall: Case-sensitive host matching may lead to policy bypass

Heimdall: Case-sensitive handling of URL-encoded slashes may lead to inconsistent path interpretation

thermal: core: Address thermal zone removal races with resume

misc: fastrpc: possible double-free of cctx->remote_heap

crypto: algif_aead - Revert to operating out-of-place

ovpn: tcp - fix packet extraction from stream

iommu/amd: move wait_on_sem() out of spinlock

ntfs: ->d_compare() must not block

net/rds: Clear reconnect pending bit

net/rds: No shortcut out of RDS_CONN_ERROR

wifi: rtw89: pci: validate sequence number of TX release report

atm: fore200e: fix use-after-free in tasklets during device removal

net/mlx5e: Fix "scheduling while atomic" in IPsec MAC address query

net: consume xmit errors of GSO frames

rnbd-srv: Zero the rsp buffer before using it

udplite: Fix null-ptr-deref in __udp_enqueue_schedule_skb().

ipv6: ioam: fix potential NULL dereferences in __ioam6_fill_trace_data()

ipv4: icmp: fix null-ptr-deref in icmp_build_probe()

Memory safety bugs fixed in Thunderbird 150.0.2

Axios: Prototype pollution read-side gadgets in HTTP adapter allow credential injection and request hijacking

Tenda CX12L SetPptpServerCfg” formSetPPTPServer stack-based overflow

Totolink X5000R formDdns sub_458E40 buffer overflow

Use-after-free in the DOM: Networking component

Auto Affiliate Links <= 6.8.8 - Unauthenticated Stored Cross-Site Scripting via 'url' Parameter

drm/xe: Add bounds check on pat_index to prevent OOB kernel read in madvise

erofs: fix interlaced plain identification for encoded extents

Bluetooth: L2CAP: Fix type confusion in l2cap_ecred_reconf_rsp()

PromptHub: Authenticated SSRF via IPv6 filter bypass in `POST /api/skills/fetch-remote`

An Out-of-bounds Read vulnerability in the IOCTL handler in ASUS System Control Interface allows a local user to cause system crash (BSOD) via a read size that exceeds the buffer size.Refer to the ' Security Update for MyASUS ' section on the ASUS Security Advisory for more information.

Onyx: IDOR in /chat/file/{file_id} allows any authenticated user to download other users files

Apache CloudStack: Domain/account resources limits not honored

WordPress Enfold theme <= 7.1.3 - Cross Site Scripting (XSS) vulnerability

E2Pdf – Export Pdf Tool for WordPress <= 1.32.17 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'id' Shortcode Attribute

Sky Addons <= 3.3.2 - Authenticated (Author+) Stored Cross-Site Scripting via Custom Script

NMR Strava activities <= 1.0.14 - Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode Attributes

PKIX draft CompositeVerifier accepts empty signature sequence as valid.

solidtime: Time entry update endpoint allows cross-organization modification of a known time-entry UUID

electerm: Full process.env exposed to renderer via window.pre.env in electerm

Nuclei: Local File Read via require() Module Loader Bypass

zyx0814 FilePress Shares Filelist API admin.php sql injection

CodeAstro Leave Management System login.php sql injection

SourceCodester SUP Online Shopping replymsg.php sql injection

SourceCodester SUP Online Shopping message.php sql injection

SourceCodester SUP Online Shopping wishlist.php sql injection

SourceCodester SUP Online Shopping viewmsg.php sql injection

SourceCodester Comment System post_comment.php sql injection

Kimai: Formula Injection via tag names in XLSX export

Nuclei: Environment variable disclosure via Response-Derived DSL Expressions

Multiple vulnerabilities in Cradle e-commerce

wlc: print_html outputs API data without HTML escaping, enabling stored XSS

GCM chunking can lead to bad tag exception on decryption

Onyx: IDOR in /chat/stop-chat-session allows any authenticated user to interrupt other users chat sessions

Kimai: Arbitrary file read in invoice PDF renderer (admin)

Kimai: Team API Missing Object-Level Authorization

In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

eladmin Users API Endpoint UserController.java checkLevel access control

code-projects Simple Chat System sendMessage.php sql injection

Open5GS NSSF message.c ogs_sbi_discovery_option_add_snssais denial of service

Open5GS NSSF message.c ogs_sbi_discovery_option_add_service_names denial of service

Open5GS NSSF conv.c ogs_sbi_parse_plmn_list denial of service

Open5GS NSSF nnssf-handler.c denial of service

SourceCodester Pizzafy Ecommerce System index.php cross site scripting

huangjunsen0406 xiaozhi-mcphub dxtController.ts path traversal

An Exposed IOCTL with Insufficient Access Control vulnerability in AsusPTPFilter allows a local user to bypass driver security mechanisms and obtain restricted touchpad information or render the touchpad unusable via crafted IOCTL requests.Refer to the ' Security Update for ASUS Precision Touchpad ' section on the ASUS Security Advisory for more information.

SourceCodester Pharmacy Sales and Inventory System index.php users cross site scripting

GPAC box_code_base.c sidx_box_read allocation of resources

Open5GS NSSF nghttp2-server.c ogs_sbi_stream_find_by_id denial of service

xfrm: esp: avoid in-place decrypt on shared skb frags

Apache CloudStack: Proxmox Extension Allows Unauthorized Cross-Tenant Instance Access

Apache CloudStack: Unauthenticated Command Injection in Direct Download Templates

NAVER MYBOX Explorer for Windows before 3.0.11.160 allows a local attacker to escalate privileges to NT AUTHORITY\SYSTEM via registry manipulation due to improper privilege checks.

Other issue in the WebRTC component

Memory safety bugs fixed in Thunderbird ESR 140.10.2 and Thunderbird 150.0.2

Rejected reason: ** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. Reason: This candidate was issued in error. Notes: All references and descriptions in this candidate have been removed to prevent accidental usage.

SureTriggers < 1.1.23 – Unauthenticated SQLi

Netgate pfSense CE 2.8.0 allows code execution in the XMLRPC API via pfsense.exec_php. NOTE: the Supplier disputes this because the API call is only available to admins and they are intentionally allowed to execute PHP code.

Netgate pfSense CE 2.7.2 allows code execution by using the module installer with a backup file with a serialized PHP object containing the post_reboot_commands property. NOTE: the Supplier disputes this because this installer is only available to admins and they are intentionally allowed to execute PHP code.

RayVentory Scan Engine through 12.6 Update 8 allows attackers to gain privileges if they control the value of the PATH environment variable. NOTE: this is disputed because ability of an attacker to control the environment is a site-specific misconfiguration.

An issue was discovered in Control Web Panel (CWP) before 0.9.8.1209. User input passed via the "key" GET parameter to /admin/index.php (when the "api" parameter is set) is not properly sanitized before being used to execute OS commands. This can be exploited by unauthenticated attackers to inject and execute arbitrary OS commands with the privileges of root on the web server. Softaculous or SitePad must be present.

1C-Bitrix through 25.100.500 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Bitrix24 through 25.100.300 allows Remote Code Execution because an actor with SOURCE/WRITE permissions for the Translate Module can upload and execute code by sending a PHP file and a .htaccess file. NOTE: this is disputed by the Supplier because this is intended behavior for the high-privileged users who can upload new translated pages to the website.

Apache CloudStack: Any user can attach a volume in their VMs from backups they should not have access to

Apache CloudStack: Any user can create a new VM from backups they should not have access to

Apache CloudStack: Any user can list backups that they should not have access to

AstrBotDevs AstrBot 3.5.15 has Advanced_System_for_Text_Response_and_Bot_Operations_Tool as the hardcoded private key used to sign a JWT.

LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.

LibreNMS before 24.10.0 allows a remote attacker to execute arbitrary code via OS command injection involving AboutController.php's index(), SettingsController.php's update(), and PollDevice.php's initRrdDirectory().

yeti-platform yeti before 2.1.12 allows attackers to generate valid JWT tokens is the secret is not changed (by setting YETI_AUTH_SECRET_KEY to a value other than SECRET).

A SSTI (server side template injection) vulnerability in the custom template export function in yeti-platform yeti before 2.1.12 allows attackers to execute code on the application server.

A Command Injection issue in the payload build page in BYOB (Build Your Own Botnet) 2.0 allows attackers to execute arbitrary commands on the server via a crafted build parameter. This occurs in freeze in core/generators.py.

SOPlanning 1.52.00 is vulnerable to Cross Site Scripting (XSS) via the groupe_id parameter to process/groupe_save.php.

SOPlanning 1.52.00 is vulnerable to SQL Injection by an authenticated user via projets.php with statut[].

Prison Management System Using PHP v1.0 was discovered to contain a SQL injection vulnerability via the username on the Admin login page.

/cgi-bin/time.cgi in Atlona AT-OME-MS42 Matrix Switcher 1.1.2 allow remote authenticated users to execute arbitrary commands as root via a POST request that carries a serverName parameter.

Mikrotik RouterOS (x86) 6.40.5 through 6.49.10 (fixed in 7) allows a remote attacker to cause a denial of service (device crash) via crafted packet data to the SMB service on TCP port 445.

In libslic3r/GCode/PostProcessor.cpp in Prusa PrusaSlicer through 2.6.1, a crafted 3mf project file can execute arbitrary code on a host where the project is sliced and G-code exported.

Certain GL.iNet devices with 4.x firmware allow authentication bypass (resulting in administrative control of the device) via a username that is both a valid SQL statement and a valid regular expression. For example, this affects version 4.3.7 on GL-MT3000 GL-AR300M GL-B1300 GL-AX1800 GL-AR750S GL-MT2500 GL-AXT1800 GL-X3000 and GL-SFT1200.

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

A Cross Site Scripting vulnerability in Alkacon OpenCms before 16 exists via updateModelGroups.jsp.

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

A Cross Site Scripting vulnerability in Alkacon OpenCms before 10.5.1 exists via cmis-online/type.

Nokia Broadcast Message Center (BMC) before 13.1 allows an unauthenticated remote attacker to do OS command injection as root via shell metacharacters in the Log Scanner Search Pattern field.

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xbb94.

The socket connection handler in aswArPot.sys in the Avast and AVG Windows Anti Rootkit driver before 22.1 allows local attackers to execute arbitrary code in kernel mode or cause a denial of service (memory corruption and OS crash) due to a double fetch vulnerability at aswArPot+0xc4a3.

In Thruk Monitoring through 2.46.3, the login field of the login form is vulnerable to reflected XSS. This vulnerability can be exploited by unauthenticated remote attackers to target users of the monitoring interface.

Apache::Session versions through 1.94 for Perl re-creates deleted sessions