CVE-2023-28814 - Hikvision iSecure Center Improper File Upload Vulnerability
CVE ID : CVE-2023-28814
Published : Oct. 17, 2025, 11:15 a.m. | 30 minutes ago
Description : Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2023-28814
Published : Oct. 17, 2025, 11:15 a.m. | 30 minutes ago
Description : Some versions of Hikvision's iSecure Center Product have an improper file upload control vulnerability. Due to the improper verification of file to be uploaded, attackers may upload malicious files to the server. iSecure Center is software released for China's domestic market only, with no overseas release.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11902 - yanyutao0402 ChanCMS findField sql injection
CVE ID : CVE-2025-11902
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11902
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : A vulnerability was detected in yanyutao0402 ChanCMS up to 3.3.2. Affected by this vulnerability is the function findField of the file /cms/article/findField. Performing manipulation of the argument cid results in sql injection. The attack can be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11903 - yanyutao0402 ChanCMS update sql injection
CVE ID : CVE-2025-11903
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by this issue is the function update of the file /cms/article/update. Executing manipulation of the argument cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11903
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : A flaw has been found in yanyutao0402 ChanCMS up to 3.3.2. Affected by this issue is the function update of the file /cms/article/update. Executing manipulation of the argument cid can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48044 - Authorization bypass when bypass policy condition evaluates to true
CVE ID : CVE-2025-48044
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-48044
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : Incorrect Authorization vulnerability in ash-project ash allows Authentication Bypass. This vulnerability is associated with program files lib/ash/policy/policy.ex and program routines 'Elixir.Ash.Policy.Policy':expression/2. This issue affects ash: from pkg:hex/ash@3.6.3 before pkg:hex/ash@3.7.1, from 3.6.3 before 3.7.1, from 79749c2685ea031ebb2de8cf60cc5edced6a8dd0 before 8b83efa225f657bfc3656ad8ee8485f9b2de923d.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60359 - Radare2 Bin Object Memory Leak
CVE ID : CVE-2025-60359
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60359
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r_bin_object_new.
Severity: 4.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60360 - Radare2 Memory Leak Vulnerability
CVE ID : CVE-2025-60360
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
Severity: 3.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60360
Published : Oct. 17, 2025, 2:15 p.m. | 1 hour, 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function r2r_subprocess_init.
Severity: 3.3 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11904 - yanyutao0402 ChanCMS hasUse sql injection
CVE ID : CVE-2025-11904
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.2. This affects the function hasUse of the file /cms/model/hasUse. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11904
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : A vulnerability has been found in yanyutao0402 ChanCMS up to 3.3.2. This affects the function hasUse of the file /cms/model/hasUse. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-48087 - WordPress Memberlite Shortcodes plugin <= 1.4.1 - Cross Site Scripting (XSS) vulnerability
CVE ID : CVE-2025-48087
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through 1.4.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-48087
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jason C. Memberlite Shortcodes memberlite-shortcodes allows Stored XSS.This issue affects Memberlite Shortcodes: from n/a through 1.4.1.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-55085 - Web http client: Unchecked Server-Side Malicious Packet Issue
CVE ID : CVE-2025-55085
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-55085
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : In NextX Duo before 6.4.4, in the HTTP client module, the network support code for Eclipse Foundation ThreadX, the parsing of HTTP header fields was missing bounds verification. A crafted server response could cause undefined behavior.
Severity: 8.8 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60361 - Radare2 Bochs Open Memory Leak
CVE ID : CVE-2025-60361
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
Severity: 2.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60361
Published : Oct. 17, 2025, 3:15 p.m. | 31 minutes ago
Description : radare2 v5.9.8 and before contains a memory leak in the function bochs_open.
Severity: 2.8 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-49655 - Keras TorchModuleWrapper Deserialization Vulnerability
CVE ID : CVE-2025-49655
Published : Oct. 17, 2025, 3:20 p.m. | 26 minutes ago
Description : Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-49655
Published : Oct. 17, 2025, 3:20 p.m. | 26 minutes ago
Description : Deserialization of untrusted data can occur in versions of the Keras framework running versions 3.11.0 up to but not including 3.11.3, enabling a maliciously uploaded Keras file containing a TorchModuleWrapper class to run arbitrary code on an end user’s system when loaded despite safe mode being enabled. The vulnerability can be triggered through both local and remote files.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62353 - Windsurf IDE Path Traversal Vulnerability
CVE ID : CVE-2025-62353
Published : Oct. 17, 2025, 3:27 p.m. | 18 minutes ago
Description : A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62353
Published : Oct. 17, 2025, 3:27 p.m. | 18 minutes ago
Description : A path traversal vulnerability in all versions of the Windsurf IDE enables a threat actor to read and write arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-26625 - Git LFS may write to arbitrary files via crafted symlinks
CVE ID : CVE-2025-26625
Published : Oct. 17, 2025, 3:30 p.m. | 16 minutes ago
Description : Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-26625
Published : Oct. 17, 2025, 3:30 p.m. | 16 minutes ago
Description : Git LFS is a Git extension for versioning large files. In Git LFS versions 0.5.2 through 3.7.0, when populating a Git repository's working tree with the contents of Git LFS objects, certain Git LFS commands may write to files visible outside the current Git working tree if symbolic or hard links exist which collide with the paths of files tracked by Git LFS. The git lfs checkout and git lfs pull commands do not check for symbolic links before writing to files in the working tree, allowing an attacker to craft a repository containing symbolic or hard links that cause Git LFS to write to arbitrary file system locations accessible to the user running these commands. As well, when the git lfs checkout and git lfs pull commands are run in a bare repository, they could write to files visible outside the repository. The vulnerability is fixed in version 3.7.1. As a workaround, support for symlinks in Git may be disabled by setting the core.symlinks configuration option to false, after which further clones and fetches will not create symbolic links. However, any symbolic or hard links in existing repositories will still provide the opportunity for Git LFS to write to their targets.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-11905 - yanyutao0402 ChanCMS gather.js getArticle code injection
CVE ID : CVE-2025-11905
Published : Oct. 17, 2025, 3:32 p.m. | 14 minutes ago
Description : A vulnerability was found in yanyutao0402 ChanCMS up to 3.3.2. This vulnerability affects the function getArticle of the file app\modules\cms\controller\gather.js. The manipulation results in code injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-11905
Published : Oct. 17, 2025, 3:32 p.m. | 14 minutes ago
Description : A vulnerability was found in yanyutao0402 ChanCMS up to 3.3.2. This vulnerability affects the function getArticle of the file app\modules\cms\controller\gather.js. The manipulation results in code injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62356 - Qodo Qodo Gen IDE Path Traversal Vulnerability
CVE ID : CVE-2025-62356
Published : Oct. 17, 2025, 3:36 p.m. | 10 minutes ago
Description : A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62356
Published : Oct. 17, 2025, 3:36 p.m. | 10 minutes ago
Description : A path traversal vulnerability in all versions of the Qodo Qodo Gen IDE enables a threat actor to read arbitrary local files in and outside of current projects on an end user’s system. The vulnerability can be reached directly and through indirect prompt injection.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-57567 - PluXml CMS Theme Editor Remote Code Execution (RCE)
CVE ID : CVE-2025-57567
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-57567
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : A remote code execution (RCE) vulnerability exists in the PluXml CMS theme editor, specifically in the minify.php file located under the default theme directory (/themes/defaut/css/minify.php). An authenticated administrator user can overwrite this file with arbitrary PHP code via the admin panel, enabling execution of system commands.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-58747 - Dify MCP OAuth Flow Vulnerable to XSS
CVE ID : CVE-2025-58747
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-58747
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : Dify is an LLM application development platform. In Dify versions through 1.9.1, the MCP OAuth component is vulnerable to cross-site scripting when a victim connects to an attacker-controlled remote MCP server. The vulnerability exists in the OAuth flow implementation where the authorization_url provided by a remote MCP server is directly passed to window.open without validation or sanitization. An attacker can craft a malicious MCP server that returns a JavaScript URI (such as javascript:alert(1)) in the authorization_url field, which is then executed when the victim attempts to connect to the MCP server. This allows the attacker to execute arbitrary JavaScript in the context of the Dify application.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-59043 - OpenBao vulnerable to denial of service via malicious JSON request processing
CVE ID : CVE-2025-59043
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-59043
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : OpenBao is an open source identity-based secrets management system. In OpenBao versions prior to 2.4.1, JSON objects after decoding may use significantly more memory than their serialized version. It is possible to craft a JSON payload to maximize the factor between serialized memory usage and deserialized memory usage, similar to a zip bomb, with factors reaching approximately 35. This can be used to circumvent the max_request_size configuration parameter which is intended to protect against denial of service attacks. The request body is parsed into a map very early in the request handling chain before authentication, which means an unauthenticated attacker can send a specifically crafted JSON object and cause an out-of-memory crash. Additionally, for requests with large numbers of strings, the audit subsystem can consume large quantities of CPU. The vulnerability is fixed in version 2.4.1.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-60279 - Illia Cloud illia-Builder SSRF Vulnerability
CVE ID : CVE-2025-60279
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : A server-side request forgery (SSRF) vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. An attacker can leverage this to enumerate open ports based on response discrepancies and interact with internal services.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-60279
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : A server-side request forgery (SSRF) vulnerability in Illia Cloud illia-Builder before v4.8.5 allows authenticated users to send arbitrary requests to internal services via the API. An attacker can leverage this to enumerate open ports based on response discrepancies and interact with internal services.
Severity: 9.6 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-8414 - Zigbee Green Power Host Buffer Overflow Vulnerability
CVE ID : CVE-2025-8414
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : Due to improper input validation, a buffer overflow vulnerability is present in Zigbee EZSP Host Applications. If the buffer overflows, stack corruption is possible. In certain conditions, this could lead to arbitrary code execution. Access to a network key is required to exploit this vulnerability.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-8414
Published : Oct. 17, 2025, 4:15 p.m. | 1 hour, 41 minutes ago
Description : Due to improper input validation, a buffer overflow vulnerability is present in Zigbee EZSP Host Applications. If the buffer overflows, stack corruption is possible. In certain conditions, this could lead to arbitrary code execution. Access to a network key is required to exploit this vulnerability.
Severity: 9.4 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-62422 - DataEase SQL injection vulnerability
CVE ID : CVE-2025-62422
Published : Oct. 17, 2025, 5:11 p.m. | 46 minutes ago
Description : DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in version 2.10.14. No known workarounds exist.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-62422
Published : Oct. 17, 2025, 5:11 p.m. | 46 minutes ago
Description : DataEase is an open source data visualization and analytics platform. In versions 2.10.13 and earlier, the /de2api/datasetData/tableField interface is vulnerable to SQL injection. An attacker can construct a malicious tableName parameter to execute arbitrary SQL commands. This issue is fixed in version 2.10.14. No known workarounds exist.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...