π¨ CVE-2025-45768
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
π@cveNotify
pyjwt v2.10.1 was discovered to contain weak encryption. NOTE: this is disputed by the Supplier because the key length is chosen by the application that uses the library (admittedly, library users may benefit from a minimum value and a mechanism for opting in to strict enforcement).
π@cveNotify
Gist
pyjwt < v2.10.1 was discovered to contain weak encryption.
pyjwt < v2.10.1 was discovered to contain weak encryption. - gist:6f65e564f2067b876321d3dfdbb76569
π¨ CVE-2025-54789
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the userβs session. This is fixed in version 0.16.10.
π@cveNotify
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, the File Move functionality does not contain logic that prevents injection of arbitrary JavaScript, which can lead to Browser JS code execution in the context of the userβs session. This is fixed in version 0.16.10.
π@cveNotify
GitHub
Refactor files sort ordering Β· humhub/cfiles@f022bdd
Module for managing files inside spaces and user profiles. - Refactor files sort ordering Β· humhub/cfiles@f022bdd
π¨ CVE-2025-54790
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.
π@cveNotify
Files is a module for managing files inside spaces and user profiles. In versions 0.16.9 and below, Files does not have logic to prevent the exploitation of backend SQL queries without direct output, potentially allowing unauthorized data access. This is fixed in version 0.16.10.
π@cveNotify
GitHub
Refactor files sort ordering by yurabakhtin Β· Pull Request #252 Β· humhub/cfiles
Improve sort ordering params to array format
π¨ CVE-2025-47997
Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network.
π@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in SQL Server allows an authorized attacker to disclose information over a network.
π@cveNotify
π¨ CVE-2025-54896
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
π¨ CVE-2025-54897
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
π@cveNotify
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
π@cveNotify
π¨ CVE-2025-54898
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
Out-of-bounds read in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
π¨ CVE-2025-54899
Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
Free of memory not on the heap in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
π¨ CVE-2025-54900
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
Heap-based buffer overflow in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
π¨ CVE-2025-54903
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
Use after free in Microsoft Office Excel allows an unauthorized attacker to execute code locally.
π@cveNotify
π₯1
π¨ CVE-2025-54834
OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.
π@cveNotify
OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows an unauthenticated, remote attacker to query the /App/CreateRequest.aspx endpoint to check for the existence of valid usernames. There are no rate-limiting mechanisms in place.
π@cveNotify
π¨ CVE-2025-54919
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
π@cveNotify
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Win32K - GRFX allows an authorized attacker to execute code locally.
π@cveNotify
π¨ CVE-2025-55227
Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
π@cveNotify
Improper neutralization of special elements used in a command ('command injection') in SQL Server allows an authorized attacker to elevate privileges over a network.
π@cveNotify
π¨ CVE-2025-3650
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
π@cveNotify
The jQuery Colorbox WordPress plugin through 4.6.3 uses the colorbox library, which does not sanitize title attributes on links before using them, allowing users with at least the contributor role to conduct XSS attacks against administrators.
π@cveNotify
WPScan
jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS
See details on jQuery Colorbox <= 4.6.3 - Contributor+ Stored XSS CVE 2025-3650. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2025-8280
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
π@cveNotify
The Contact Form 7 reCAPTCHA WordPress plugin through 1.2.0 does not escape the $_SERVER['REQUEST_URI'] parameter before outputting it back in an attribute, which could lead to Reflected Cross-Site Scripting in old web browsers.
π@cveNotify
WPScan
Contact Form 7 reCAPTCHA <= 1.2.0 - Reflected XSS via $_SERVER['REQUEST_URI']
See details on Contact Form 7 reCAPTCHA <= 1.2.0 - Reflected XSS via $_SERVER['REQUEST_URI'] CVE 2025-8280. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2024-45431
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Improper Input Validation. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the lack of proper validation of remote L2CAP channel ID (CID). An attacker can leverage this to create an L2CAP channel with the null identifier assigned as a remote CID.
π@cveNotify
OpenSynergy BlueSDK (aka Blue SDK) through 6.x has Improper Input Validation. The specific flaw exists within the BlueSDK Bluetooth stack. The issue results from the lack of proper validation of remote L2CAP channel ID (CID). An attacker can leverage this to create an L2CAP channel with the null identifier assigned as a remote CID.
π@cveNotify
Pcacybersecurity
Critical Vulnerabilities Blue SDK OpenSynergy | PCA Advisory
PCA Cyber Security researchers identified and announced critical vulnerabilities in the Bluetooth stack of Blue SDK. PCA Researchers name the discovered vulnerability chain PerfektBlue. PerfektBlue - 1-click RCE attack affects millions of devices used byβ¦
π¨ CVE-2025-8347
A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability, which was classified as critical, was found in Kehua Charging Pile Cloud Platform 1.0. This affects an unknown part of the file /sys/task/findAllTask. The manipulation leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
cve/CVE2.md at main Β· qiantx/cve
Contribute to qiantx/cve development by creating an account on GitHub.
π¨ CVE-2025-8348
A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability has been found in Kehua Charging Pile Cloud Platform 1.0 and classified as critical. This vulnerability affects unknown code of the file /home. The manipulation leads to improper authentication. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
cve/cve3.md at main Β· qiantx/cve
Contribute to qiantx/cve development by creating an account on GitHub.
π¨ CVE-2025-54832
OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.
π@cveNotify
OPEXUS FOIAXpress Public Access Link (PAL), version v11.1.0, allows an authenticated user to add entries to the list of states and territories.
π@cveNotify
π¨ CVE-2025-54833
OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
π@cveNotify
OPEXUS FOIAXpress Public Access Link (PAL) version v11.1.0 allows attackers to bypass account-lockout and CAPTCHA protections. Unauthenticated remote attackers can more easily brute force passwords.
π@cveNotify
π¨ CVE-2025-54874
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and earlier, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.
π@cveNotify
OpenJPEG is an open-source JPEG 2000 codec. In OpenJPEG 2.5.3 and earlier, a call to opj_jp2_read_header may lead to OOB heap memory write when the data stream p_stream is too short and p_image is not initialized.
π@cveNotify
GitHub
opj_jp2_read_header: Check for error after parsing header. Β· uclouvain/openjpeg@f809b80
Consider the case where the caller has not set the p_image
pointer to NULL before calling opj_read_header().
If opj_j2k_read_header_procedure() fails while obtaining the rest
of the marker segment...
pointer to NULL before calling opj_read_header().
If opj_j2k_read_header_procedure() fails while obtaining the rest
of the marker segment...