CVE-2025-65041 - Microsoft Partner Center Elevation of Privilege Vulnerability
CVE ID : CVE-2025-65041
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65041
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-65037 - Azure Container Apps Remote Code Execution Vulnerability
CVE ID : CVE-2025-65037
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-65037
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 10.0 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64676 - Microsoft Purview eDiscovery Remote Code Execution Vulnerability
CVE ID : CVE-2025-64676
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64676
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64677 - Office Out-of-Box Experience Spoofing Vulnerability
CVE ID : CVE-2025-64677
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64677
Published : Dec. 18, 2025, 10:02 p.m. | 18 minutes ago
Description : None
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68384 - Elasticsearch Allocation of Resources Without Limits or Throttling
CVE ID : CVE-2025-68384
Published : Dec. 18, 2025, 10:04 p.m. | 15 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68384
Published : Dec. 18, 2025, 10:04 p.m. | 15 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) causing a persistent denial of service (OOM crash) via submission of oversized user settings data.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68279 - Weblate has an arbitrary file read via symbolic links
CVE ID : CVE-2025-68279
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68279
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to read arbitrary files from the server file system using crafted symbolic links in the repository. Version 5.15.1 fixes the issue.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68385 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE ID : CVE-2025-68385
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68385
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an authenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a method in Vega bypassing a previous Vega XSS mitigation.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68386 - Kibana Improper Authorization
CVE ID : CVE-2025-68386
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68386
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to change a document's sharing type to "global," even though they do not have permission to do so, making it visible to everyone in the space via a crafted a HTTP request.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68387 - Kibana Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE ID : CVE-2025-68387
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68387
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('Cross-site Scripting') (CWE-79) allows an unauthenticated user to embed a malicious script in content that will be served to web browsers causing cross-site scripting (XSS) (CAPEC-63) via a vulnerability a function handler in the Vega AST evaluator.
Severity: 6.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68389 - Kibana Allocation of Resources Without Limits or Throttling
CVE ID : CVE-2025-68389
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68389
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Kibana can allow a low-privileged authenticated user to cause Excessive Allocation (CAPEC-130) of computing resources and a denial of service (DoS) of the Kibana process via a crafted HTTP request.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68390 - Elasticsearch Allocation of Resources Without Limits or Throttling
CVE ID : CVE-2025-68390
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68390
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Allocation of Resources Without Limits or Throttling (CWE-770) in Elasticsearch can allow an authenticated user with snapshot restore privileges to cause Excessive Allocation (CAPEC-130) of memory and a denial of service (DoS) via crafted HTTP request.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68398 - Weblate has git config file overwrite vulnerability that leads to remote code execution
CVE ID : CVE-2025-68398
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68398
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Weblate is a web based localization tool. In versions prior to 5.15.1, it was possible to overwrite Git configuration remotely and override some of its behavior. Version 5.15.1 fixes the issue.
Severity: 9.1 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-68422 - Kibana Improper Authorization
CVE ID : CVE-2025-68422
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-68422
Published : Dec. 18, 2025, 11:15 p.m. | 3 hours, 5 minutes ago
Description : Improper Authorization (CWE-285) in Kibana can lead to privilege escalation (CAPEC-233) by allowing an authenticated user to bypass intended permission restrictions via a crafted HTTP request. This allows an attacker who lacks the live queries - read permission to successfully retrieve the list of live queries.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67844 - Mintlify Platform GitHub Integration API Insufficient Authorization
CVE ID : CVE-2025-67844
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67844
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The GitHub Integration API in Mintlify Platform before 2025-11-15 allows remote attackers to obtain sensitive repository metadata via the repository owner and name fields. It fails to validate that the repository owner and name fields provided during configuration belong to the specific GitHub App Installation ID associated with the user's organization.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67842 - Mintlify Platform Cross-Site Scripting (XSS)
CVE ID : CVE-2025-67842
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67842
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The Static Asset API in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via the subdomain parameter because any tenant's assets can be served on any other tenant's documentation site.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67845 - Mintlify Platform Directory Traversal Vulnerability
CVE ID : CVE-2025-67845
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67845
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : A Directory Traversal vulnerability in the Static Asset Proxy Endpoint in Mintlify Platform before 2025-11-15 allows remote attackers to inject arbitrary web script or HTML via a crafted URL containing path traversal sequences.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67843 - Mintlify Platform SSTI Vulnerability
CVE ID : CVE-2025-67843
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67843
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : A Server-Side Template Injection (SSTI) vulnerability in the MDX Rendering Engine in Mintlify Platform before 2025-11-15 allows remote attackers to execute arbitrary code via inline JSX expressions in an MDX file.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-67846 - Mintlify Platform Downgrade Attack
CVE ID : CVE-2025-67846
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-67846
Published : Dec. 19, 2025, midnight | 2 hours, 20 minutes ago
Description : The Deployment Infrastructure in Mintlify Platform before 2025-11-15 allows remote attackers to bypass security patches and execute downgrade attacks via predictable deployment identifiers on the Vercel preview domain. An attacker can identify the URL structure of a previous deployment that contains unpatched vulnerabilities. By browsing directly to the specific git-ref or deployment-id subdomain, the attacker can force the application to load the vulnerable version.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14897 - CodeAstro Real Estate Management System Administrator Endpoint useragentdelete.php sql injection
CVE ID : CVE-2025-14897
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14897
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : A vulnerability was identified in CodeAstro Real Estate Management System 1.0. The impacted element is an unknown function of the file /admin/useragentdelete.php of the component Administrator Endpoint. The manipulation leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-14898 - CodeAstro Real Estate Management System Administrator Endpoint userbuilderdelete.php sql injection
CVE ID : CVE-2025-14898
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-14898
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : A security flaw has been discovered in CodeAstro Real Estate Management System 1.0. This affects an unknown function of the file /admin/userbuilderdelete.php of the component Administrator Endpoint. The manipulation results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
Severity: 5.8 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2025-64675 - Azure Cosmos DB Spoofing Vulnerability
CVE ID : CVE-2025-64675
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-64675
Published : Dec. 19, 2025, 12:15 a.m. | 2 hours, 5 minutes ago
Description : Improper neutralization of input during web page generation ('cross-site scripting') in Azure Cosmos DB allows an unauthorized attacker to perform spoofing over a network.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...