๐จ CVE-2024-29026
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
๐@cveNotify
Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.
๐@cveNotify
GitHub
owncast/router/middleware/auth.go at v0.1.2 ยท owncast/owncast
Take control over your live stream video by running it yourself. Streaming + chat out of the box. - owncast/owncast
๐จ CVE-2025-1534
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
๐@cveNotify
CVE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Payara Platform Payara Server allows : Remote Code Inclusion.This issue affects Payara Server: from 4.1.2.1919.1 before 4.1.2.191.51, from 5.20.0 before 5.68.0, from 6.0.0 before 6.23.0, from 6.2022.1 before 6.2025.2.
๐@cveNotify
๐จ CVE-2025-24949
In JotUrl 2.0, is possible to bypass security requirements during the password change process.
๐@cveNotify
In JotUrl 2.0, is possible to bypass security requirements during the password change process.
๐@cveNotify
www.gruppotim.it
Vulnerability Research & Advisor
๐จ CVE-2025-5459
A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.
๐@cveNotify
A user with specific node group editing permissions and a specially crafted class parameter could be used to execute commands as root on the primary host. It affects Puppet Enterprise versions 2018.1.8 through 2023.8.3 and 2025.3 and has been resolved in versions 2023.8.4 and 2025.4.0.
๐@cveNotify
๐จ CVE-2025-11548
A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution
๐@cveNotify
A remote, unauthenticated privilege escalation in ibi WebFOCUS allows an attacker to gain administrative access to the application which may lead to unauthenticated Remote Code Execution
๐@cveNotify
TIBCO Community
ibi Security Advisory: October 14, 2025 - ibi WebFOCUS - CVE-2025-11548
ibi WebFOCUS - Unauthenticated RCE Vulnerability Original release date: October 14, 2025 Last revised: --- CVE-2025-11548 Source: ibi. Products Affected ibi WebFOCUS 9.1.3 & earlier ibi WebFOCUS 9.2.2 & earlier Component Affected SOAP Log on (Enabled by default)โฆ
๐จ CVE-2025-24052
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.
Fax modem hardware dependent on this specific driver will no longer work on Windows.
Microsoft recommends removing any existing dependencies on this hardware.
๐@cveNotify
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.
Fax modem hardware dependent on this specific driver will no longer work on Windows.
Microsoft recommends removing any existing dependencies on this hardware.
๐@cveNotify
๐จ CVE-2025-24990
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.
Fax modem hardware dependent on this specific driver will no longer work on Windows.
Microsoft recommends removing any existing dependencies on this hardware.
๐@cveNotify
Microsoft is aware of vulnerabilities in the third party Agere Modem driver that ships natively with supported Windows operating systems. This is an announcement of the upcoming removal of ltmdm64.sys driver. The driver has been removed in the October cumulative update.
Fax modem hardware dependent on this specific driver will no longer work on Windows.
Microsoft recommends removing any existing dependencies on this hardware.
๐@cveNotify
๐จ CVE-2025-25004
Improper access control in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.
๐@cveNotify
Improper access control in Microsoft PowerShell allows an authorized attacker to elevate privileges locally.
๐@cveNotify
๐จ CVE-2025-36730
A prompt injection vulnerability exists in Windsurft version 1.10.7 in Write mode using SWE-1 model.
It is possible to create a file name that will be appended to the user prompt causing Windsurf to follow its instructions.
๐@cveNotify
A prompt injection vulnerability exists in Windsurft version 1.10.7 in Write mode using SWE-1 model.
It is possible to create a file name that will be appended to the user prompt causing Windsurf to follow its instructions.
๐@cveNotify
Tenableยฎ
Windsurf Prompt Injection via Filename
A prompt injection vulnerability exists in Windsurf version 1.10.7. We have verified this vulnerability is present when installed on macOS Sequoia 15.5 with Windsurf Version: 1.10.7 Windsurf Extension Version: 1.48.1 in Write mode using the SWE-1 model.
๐จ CVE-2025-37132
An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.
๐@cveNotify
An arbitrary file write vulnerability exists in the web-based management interface of both the AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to upload arbitrary files and execute arbitrary commands on the underlying operating system.
๐@cveNotify
๐จ CVE-2025-37133
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
๐จ CVE-2025-37134
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
An authenticated command injection vulnerability exists in the CLI binary of an AOS-8 Controller/Mobility Conductor operating system. Successful exploitation could allow an authenticated malicious actor to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
๐จ CVE-2025-37135
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
๐จ CVE-2025-37136
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
๐จ CVE-2025-37137
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
Arbitrary file deletion vulnerabilities have been identified in the command-line interface of an AOS-8 Controller/Mobility Conductor. Successful exploitation of these vulnerabilities could allow an authenticated remote malicious actor to delete arbitrary files within the affected system.
๐@cveNotify
๐จ CVE-2025-37138
An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
An authenticated command injection vulnerability exists in the command line interface binary of AOS-10 GW and AOS-8 Controllers/Mobility Conductor operating system. Exploitation of this vulnerability requires physical access to the hardware controllers. A successful attack could allow an authenticated malicious actor with physical access to execute arbitrary commands as a privileged user on the underlying operating system.
๐@cveNotify
๐จ CVE-2025-37139
A vulnerability in an AOS firmware binary allows an authenticated malicious actor to permanently delete necessary boot information. Successful exploitation may render the system unbootable, resulting in a Denial of Service that can only be resolved by replacing the affected hardware.
๐@cveNotify
A vulnerability in an AOS firmware binary allows an authenticated malicious actor to permanently delete necessary boot information. Successful exploitation may render the system unbootable, resulting in a Denial of Service that can only be resolved by replacing the affected hardware.
๐@cveNotify
๐จ CVE-2025-37140
Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.
๐@cveNotify
Arbitrary file download vulnerabilities exist in the CLI binary of AOS-10 GW and AOS-8 Controller/Mobility Conductor operating systems. Successful exploitation could allow an authenticated malicious actor to download arbitrary files through carefully constructed exploits.
๐@cveNotify
๐ฅ1
๐จ CVE-2024-0800
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
๐@cveNotify
A path traversal vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in edge-app-base-webui.jar!com.ca.arcserve.edge.app.base.ui.server.servlet.ImportNodeServlet.
๐@cveNotify
Tenableยฎ
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
Multiple vulnerabilities exist in Arcserve Unified Data Protection (UDP) 9.2.
๐จ CVE-2024-0801
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
๐@cveNotify
A denial of service vulnerability exists in Arcserve Unified Data Protection 9.2 and 8.1 in ASNative.dll.
๐@cveNotify
Tenableยฎ
Arcserve Unified Data Protection 9.2 Multiple Vulnerabilities
Multiple vulnerabilities exist in Arcserve Unified Data Protection (UDP) 9.2.
๐จ CVE-2024-52949
iptraf-ng 1.2.1 has a stack-based buffer overflow. In src/ifaces.c, the strcpy function consistently fails to control the size, and it is consequently possible to overflow memory on the stack.
๐@cveNotify
iptraf-ng 1.2.1 has a stack-based buffer overflow. In src/ifaces.c, the strcpy function consistently fails to control the size, and it is consequently possible to overflow memory on the stack.
๐@cveNotify
GitHub
Release Version 1.2.1 ยท iptraf-ng/iptraf-ng
Changes:
Makefile: protect mandatory compile flags
packet capture: don't reuse socket for multiple receive functions
TPACKET_V[23]: continue even if mlock() fails
Makefile: protect mandatory compile flags
packet capture: don't reuse socket for multiple receive functions
TPACKET_V[23]: continue even if mlock() fails