π¨ CVE-2024-27239
Use after free in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.
π@cveNotify
Use after free in some Zoom Workplace Apps and SDKs may allow an authenticated user to conduct a denial of service via network access.
π@cveNotify
Zoom
ZSB-24018
π¨ CVE-2025-46742
Users who were required to change their password could still access system information before changing their password
π@cveNotify
Users who were required to change their password could still access system information before changing their password
π@cveNotify
selinc.com
Login
π¨ CVE-2025-46744
An authenticated administrator could modify the Created By username for a user account
π@cveNotify
An authenticated administrator could modify the Created By username for a user account
π@cveNotify
selinc.com
Login
π¨ CVE-2025-46745
An authenticated user without user-management permissions could view other users' account information.
π@cveNotify
An authenticated user without user-management permissions could view other users' account information.
π@cveNotify
selinc.com
Login
π¨ CVE-2025-61582
TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A Denial of Dervice vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability permits an unauthenticated actor to crash the application through the submission of specially crafted Unicode input, requiring no prior authentication or privileges. The flaw manifests when Unicode tag characters are submitted to the Server field on the login page. The application fails to properly handle these characters during the ASCII conversion process, resulting in an unhandled exception that terminates the application within four to five seconds of submission. This issue is fixed in version 2.2.2.
π@cveNotify
TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A Denial of Dervice vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability permits an unauthenticated actor to crash the application through the submission of specially crafted Unicode input, requiring no prior authentication or privileges. The flaw manifests when Unicode tag characters are submitted to the Server field on the login page. The application fails to properly handle these characters during the ASCII conversion process, resulting in an unhandled exception that terminates the application within four to five seconds of submission. This issue is fixed in version 2.2.2.
π@cveNotify
GitHub
fixes unauthenticated denial of service and reflected cross-site scri⦠· joni1802/ts3-manager@3a06991
β¦pting
π¨ CVE-2025-61583
TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A reflected cross-site scripting vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability exists in the error handling mechanism of the login page, where malicious scripts embedded in server hostnames are executed in the victim's browser context without proper sanitization. This issue is fixed in version 2.2.2.
π@cveNotify
TS3 Manager is modern web interface for maintaining Teamspeak3 servers. A reflected cross-site scripting vulnerability has been identified in versions 2.2.1 and earlier. The vulnerability exists in the error handling mechanism of the login page, where malicious scripts embedded in server hostnames are executed in the victim's browser context without proper sanitization. This issue is fixed in version 2.2.2.
π@cveNotify
GitHub
fixes unauthenticated denial of service and reflected cross-site scri⦠· joni1802/ts3-manager@3a06991
β¦pting
π¨ CVE-2025-46745
An authenticated user without user-management permissions could view other users account information.
π@cveNotify
An authenticated user without user-management permissions could view other users account information.
π@cveNotify
selinc.com
Login
π¨ CVE-2025-21479
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
π@cveNotify
Memory corruption due to unauthorized command execution in GPU micronode while executing specific sequence of commands.
π@cveNotify
π¨ CVE-2025-55621
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another.
π@cveNotify
An Insecure Direct Object Reference (IDOR) vulnerability in Reolink v4.54.0.4.20250526 allows unauthorized attackers to access and download other users' profile photos via a crafted URL. NOTE: this is disputed by the Supplier because it is intentional behavior; the photos are part of a social platform on which users expect to find one another.
π@cveNotify
relieved-knuckle-264 on Notion
Reolink - Download a profile due to IDOR | Notion
π 1. Reporting information
π₯1
π¨ CVE-2025-11020
An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*.
π@cveNotify
An attacker can obtain server information using Path Traversal vulnerability to conduct SQL Injection, which possibly exploits Unrestricted Upload of File with Dangerous Type vulnerability in MarkAny SafePC Enterprise on Windows, Linux.This issue affects SafePC Enterprise: V7.0.* (V7.0.YYYY.MM.DD) before V7.0.1, and V5.*.*.
π@cveNotify
Markany
κΈ°μ
μ 보 보μ
μΆκ·ΌλΆν° ν΄κ·ΌκΉμ§ λͺ¨λ 보μμ μλν νμ¬ μμ νκ² λ³΄νΈνκ³ μ¬μ©μμ λΆνΈμ μ΅μν ν©λλ€.
π¨ CVE-2025-11182
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1.
π@cveNotify
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Download of Code Without Integrity Check vulnerability in GTONE ChangeFlow allows Path Traversal.This issue affects ChangeFlow: All versions to v9.0.1.1.
π@cveNotify
π¨ CVE-2025-11221
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.
π@cveNotify
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal'), Unrestricted Upload of File with Dangerous Type vulnerability in GTONE ChangeFlow allows Path Traversal, Accessing Functionality Not Properly Constrained by ACLs.This issue affects ChangeFlow: from All versions through v9.0.1.1.
π@cveNotify
π¨ CVE-2025-58775
KV STUDIO and VT5-WX15/WX12 contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
KV STUDIO and VT5-WX15/WX12 contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
jvn.jp
JVNVU#97069449: Multiple vulnerabilities in multiple Keyence products
Japan Vulnerability Notes
π¨ CVE-2025-58776
KV Studio versions 12.23 and prior contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
KV Studio versions 12.23 and prior contain a stack-based buffer overflow vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
jvn.jp
JVNVU#97069449: Multiple vulnerabilities in multiple Keyence products
Japan Vulnerability Notes
π¨ CVE-2025-58777
VT Studio versions 8.53 and prior contain an access of uninitialized pointer vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
VT Studio versions 8.53 and prior contain an access of uninitialized pointer vulnerability. If the product uses a specially crafted file, arbitrary code may be executed on the affected product.
π@cveNotify
jvn.jp
JVNVU#97069449: Multiple vulnerabilities in multiple Keyence products
Japan Vulnerability Notes
π₯1
π¨ CVE-2025-40645
Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to β/api/reserva/web/clientsβ using the βphoneβ parameter.
π@cveNotify
Exposure of sensitive information in Viday. This vulnerability could allow an unauthenticated attacker to obtain sensitive information about customers by sending an HTTP GET request to β/api/reserva/web/clientsβ using the βphoneβ parameter.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in ViDay
INCIBE has coordinated the publication of two vulnerabilities, one high severity and one medium severi
π¨ CVE-2025-40646
Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload.
π@cveNotify
Exposure of sensitive information in Viday. This vulnerability could allow an attacker to obtain sensitive information about customers by intercepting HTTP requests and searching for the JWT containing sensitive user information in the JWT payload.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in ViDay
INCIBE has coordinated the publication of two vulnerabilities, one high severity and one medium severi
π¨ CVE-2025-54286
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
π@cveNotify
Cross-Site Request Forgery (CSRF) in LXD-UI in Canonical LXD versions >= 5.0 on Linux allows an attacker to create and start container instances without user consent via crafted HTML form submissions exploiting client certificate authentication.
π@cveNotify
GitHub
CSRF Vulnerability When Using Client Certificate Authentication with the LXD-UI
### Description
OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as we...
OIDC authentication uses cookies with the SameSite=Strict attribute, preventing cookies from being sent with requests from other sites. Therefore, CSRF does not occur as long as we...
π¨ CVE-2025-54287
Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration
permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
π@cveNotify
Template Injection in instance snapshot creation component in Canonical LXD (>= 4.0) allows an attacker with instance configuration
permissions to read arbitrary files on the host system via specially crafted snapshot pattern templates using the Pongo2 template engine.
π@cveNotify
GitHub
Arbitrary File Read via Template Injection in Snapshot Patterns
### Impact
In LXD's instance snapshot creation functionality, the Pongo2 template engine is used in the `snapshots.pattern` configuration for generating snapshot names. While code execution fu...
In LXD's instance snapshot creation functionality, the Pongo2 template engine is used in the `snapshots.pattern` configuration for generating snapshot names. While code execution fu...
π¨ CVE-2025-54288
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
π@cveNotify
Information Spoofing in devLXD Server in Canonical LXD versions 4.0 and above on Linux container platforms allows attackers with root privileges within any container to impersonate other containers and obtain their metadata, configuration, and device information via spoofed process names in the command line.
π@cveNotify
GitHub
Source Container Identification Vulnerability via cmdline Spoofing in devLXD Server
### Impact
In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers to impersonate other containers by spoofing p...
In LXD's devLXD server, the source container identification process uses process cmdline (command line) information, allowing attackers to impersonate other containers by spoofing p...
π¨ CVE-2025-54289
Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
π@cveNotify
Privilege Escalation in operations API in Canonical LXD 6.5 on multiple platforms allows attacker with read permissions to hijack terminal or console sessions and execute arbitrary commands via WebSocket connection hijacking format
π@cveNotify
GitHub
Privilege Escalation via WebSocket Connection Hijacking in Operations API
### Impact
LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication...
LXD's operations API includes secret values necessary for WebSocket connections when retrieving information about running operations. These secret values are used for authentication...