CVE-2025-3910 - Keycloak Authorization Bypass Vulnerability
CVE ID : CVE-2025-3910
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3910
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : A flaw was found in Keycloak. The org.keycloak.authorization package may be vulnerable to circumventing required actions, allowing users to circumvent requirements such as setting up two-factor authentication.
Severity: 5.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46344 - Auth0 Next.js SDK: JWE Token Expiration Claim Omission
CVE ID : CVE-2025-46344
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46344
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : The Auth0 Next.js SDK is a library for implementing user authentication in Next.js applications. Versions starting from 4.0.1 and prior to 4.5.1, do not invoke `.setExpirationTime` when generating a JWE token for the session. As a result, the JWE does not contain an internal expiration claim. While the session cookie may expire or be cleared, the JWE remains valid. This issue has been patched in version 4.5.1.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46348 - YesWiki Unauthenticated Archive Creation and Download Vulnerability
CVE ID : CVE-2025-46348
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46348
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the request to commence a site backup can be performed and downloaded without authentication. The archives are created with a predictable filename, so a malicious user could create and download an archive without being authenticated. This could result in a malicious attacker making numerous requests to create archives and fill up the file system, or by downloading the archive which contains sensitive site information. This issue has been patched in version 4.5.4.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46549 - YesWiki Reflected Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-46549
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46549
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, an attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46550 - YesWiki Reflected Cross-Site Scripting Vulnerability
CVE ID : CVE-2025-46550
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46550
Published : April 29, 2025, 9:15 p.m. | 3 hours, 29 minutes ago
Description : YesWiki is a wiki system written in PHP. Prior to version 4.5.4, the `/?BazaR` endpoint and `idformulaire` parameter are vulnerable to cross-site scripting. An attacker can use a reflected cross-site scripting attack to steal cookies from an authenticated user by having them click on a malicious link. Stolen cookies allow the attacker to take over the user’s session. This vulnerability may also allow attackers to deface the website or embed malicious content. This issue has been patched in version 4.5.4.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2023-4377 - Apache Struts Remote Code Execution Vulnerability
CVE ID : CVE-2023-4377
Published : April 29, 2025, 11:15 p.m. | 1 hour, 29 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2023-4377
Published : April 29, 2025, 11:15 p.m. | 1 hour, 29 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-29906 - Finit TTY Authentication Bypass Vulnerability
CVE ID : CVE-2025-29906
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-29906
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : Finit is a fast init for Linux systems. Versions starting from 3.0-rc1 and prior to version 4.11 bundle an implementation of getty for the `tty` configuration directive that can bypass `/bin/login`, i.e., a user can log in as any user without authentication. This issue has been patched in version 4.11.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3358 - CVE-2022-36337 Oracle WebLogic Server Cross-Site Scripting
CVE ID : CVE-2025-3358
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3358
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : Rejected reason: This CVE ID has been rejected or withdrawn by its CVE Numbering Authority.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46552 - GitHub KHC-INVITATION-AUTOMATION Unauthenticated User Data Disclosure
CVE ID : CVE-2025-46552
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46552
Published : April 29, 2025, 11:16 p.m. | 1 hour, 29 minutes ago
Description : KHC-INVITATION-AUTOMATION is a GitHub automation script that automatically invites followers of a bot account to join your organization. In some commits on version 1.2, a vulnerability was identified where user data, including email addresses and Discord usernames, were exposed in API responses without proper access controls. This allowed unauthorized users to access sensitive user information by directly calling specific endpoints. This issue has been patched in a later commit on version 1.2.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-30202 - vLLM ZeroMQ Denial of Service and Data Exposure Vulnerability
CVE ID : CVE-2025-30202
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not useful to an attacker. By potentially connecting to this socket many times and not reading data published to them, an attacker can also cause a denial of service by slowing down or potentially blocking the publisher. This issue has been patched in version 0.8.5.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-30202
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.5.2 and prior to 0.8.5 are vulnerable to denial of service and data exposure via ZeroMQ on multi-node vLLM deployment. In a multi-node vLLM deployment, vLLM uses ZeroMQ for some multi-node communication purposes. The primary vLLM host opens an XPUB ZeroMQ socket and binds it to ALL interfaces. While the socket is always opened for a multi-node deployment, it is only used when doing tensor parallelism across multiple hosts. Any client with network access to this host can connect to this XPUB socket unless its port is blocked by a firewall. Once connected, these arbitrary clients will receive all of the same data broadcasted to all of the secondary vLLM hosts. This data is internal vLLM state information that is not useful to an attacker. By potentially connecting to this socket many times and not reading data published to them, an attacker can also cause a denial of service by slowing down or potentially blocking the publisher. This issue has been patched in version 0.8.5.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-32444 - "vLLM Mooncake ZeroMQ Remote Code Execution"
CVE ID : CVE-2025-32444
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-32444
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.6.5 and prior to 0.8.5, having vLLM integration with mooncake, are vulnerable to remote code execution due to using pickle based serialization over unsecured ZeroMQ sockets. The vulnerable sockets were set to listen on all network interfaces, increasing the likelihood that an attacker is able to reach the vulnerable ZeroMQ sockets to carry out an attack. vLLM instances that do not make use of the mooncake integration are not vulnerable. This issue has been patched in version 0.8.5.
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46560 - LLaMA LLM Multimodal Tokenizer Resource Exhaustion
CVE ID : CVE-2025-46560
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to inefficient list concatenation operations, the algorithm exhibits quadratic time complexity (O(n²)), allowing malicious actors to trigger resource exhaustion via specially crafted inputs. This issue has been patched in version 0.8.5.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46560
Published : April 30, 2025, 1:15 a.m. | 3 hours, 29 minutes ago
Description : vLLM is a high-throughput and memory-efficient inference and serving engine for LLMs. Versions starting from 0.8.0 and prior to 0.8.5 are affected by a critical performance vulnerability in the input preprocessing logic of the multimodal tokenizer. The code dynamically replaces placeholder tokens (e.g., <|audio_|>, <|image_|>) with repeated tokens based on precomputed lengths. Due to inefficient list concatenation operations, the algorithm exhibits quadratic time complexity (O(n²)), allowing malicious actors to trigger resource exhaustion via specially crafted inputs. This issue has been patched in version 0.8.5.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46778 - Apache HTTP Server Denial of Service
CVE ID : CVE-2025-46778
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46778
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46779 - Apache HTTP Server HTTP Header Injection
CVE ID : CVE-2025-46779
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46779
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46780 - Apache HTTP Server Denial of Service
CVE ID : CVE-2025-46780
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46780
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46781 - Apache OpenOffice Insufficient Input Validation
CVE ID : CVE-2025-46781
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46781
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-46782 - Apache HTTP Server Unvalidated Request Parameter
CVE ID : CVE-2025-46782
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-46782
Published : April 30, 2025, 3:15 a.m. | 1 hour, 30 minutes ago
Description : Rejected reason: Not used
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3471 - "SureForms WordPress Plugin Unauthenticated Configuration Update"
CVE ID : CVE-2025-3471
Published : April 30, 2025, 6:15 a.m. | 2 hours, 29 minutes ago
Description : The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3471
Published : April 30, 2025, 6:15 a.m. | 2 hours, 29 minutes ago
Description : The SureForms WordPress plugin before 1.4.4 does not have proper authorisation check when updating its settings via the REST API, which could allow Contributor and above roles to perform such action
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-3953 - WordPress WP Statistics Unauthenticated Settings Modification Vulnerability
CVE ID : CVE-2025-3953
Published : April 30, 2025, 6:15 a.m. | 2 hours, 29 minutes ago
Description : The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-3953
Published : April 30, 2025, 6:15 a.m. | 2 hours, 29 minutes ago
Description : The WP Statistics – The Most Popular Privacy-Friendly Analytics Plugin plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'optionUpdater' function in all versions up to, and including, 14.13.3. This makes it possible for authenticated attackers, with Subscriber-level access and above, to update arbitrary plugin settings.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-22882 - Delta Electronics ISPSoft Buffer Overflow
CVE ID : CVE-2025-22882
Published : April 30, 2025, 8:15 a.m. | 30 minutes ago
Description : Delta Electronics ISPSoft version 3.20 is vulnerable to a Stack-Based buffer overflow vulnerability that could allow an attacker to leverage debugging logic to execute arbitrary code when parsing CBDGL file.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-22882
Published : April 30, 2025, 8:15 a.m. | 30 minutes ago
Description : Delta Electronics ISPSoft version 3.20 is vulnerable to a Stack-Based buffer overflow vulnerability that could allow an attacker to leverage debugging logic to execute arbitrary code when parsing CBDGL file.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-22883 - Delta Electronics ISPSoft Out-Of-Bounds Write Vulnerability
CVE ID : CVE-2025-22883
Published : April 30, 2025, 8:15 a.m. | 30 minutes ago
Description : Delta Electronics ISPSoft version 3.20 is vulnerable to an Out-Of-Bounds Write vulnerability that could allow an attacker to execute arbitrary code when parsing DVP file.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-22883
Published : April 30, 2025, 8:15 a.m. | 30 minutes ago
Description : Delta Electronics ISPSoft version 3.20 is vulnerable to an Out-Of-Bounds Write vulnerability that could allow an attacker to execute arbitrary code when parsing DVP file.
Severity: 7.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...