π¨ CVE-2025-62694
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - WikiLove Extension allows Stored XSS.This issue affects Mediawiki - WikiLove Extension: 1.39.
π@cveNotify
π¨ CVE-2025-62701
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - Wikistories allows Stored XSS.This issue affects Mediawiki - Wikistories: from master before 1.44.
π@cveNotify
π¨ CVE-2025-62702
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.
π@cveNotify
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in The Wikimedia Foundation Mediawiki - PageTriage Extension allows Stored XSS.This issue affects Mediawiki - PageTriage Extension: from master before 1.44.
π@cveNotify
π¨ CVE-2025-10916
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
π@cveNotify
The FormGent WordPress plugin before 1.0.4 is vulnerable to arbitrary file deletion due to insufficient file path validation. This makes it possible for unauthenticated attackers to delete arbitrary files on the server.
π@cveNotify
WPScan
FormGent < 1.0.4 - Unauthenticated Arbitrary File Deletion
See details on FormGent < 1.0.4 - Unauthenticated Arbitrary File Deletion CVE 2025-10916. View the latest Plugin Vulnerabilities on WPScan.
π¨ CVE-2025-1742
A vulnerability, which was classified as problematic, has been found in pihome-shc PiHome 2.0. Affected by this issue is some unknown functionality of the file /home.php. The manipulation of the argument page_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
A vulnerability, which was classified as problematic, has been found in pihome-shc PiHome 2.0. Affected by this issue is some unknown functionality of the file /home.php. The manipulation of the argument page_name leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
π@cveNotify
GitHub
published-pocs/pihomehvac_xss_home.md at main Β· janssensjelle/published-pocs
Contribute to janssensjelle/published-pocs development by creating an account on GitHub.
π¨ CVE-2025-2493
Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the βidβ parameter of the β/softdial/scheduler/load.phpβ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk.
π@cveNotify
Path Traversal vulnerability in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to manipulate the βidβ parameter of the β/softdial/scheduler/load.phpβ endpoint to navigate beyond the intended directory. This can allow unauthorised access to sensitive files outside the expected scope, posing a security risk.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Softdial Contact Center
INCIBE has coordinated the publication of 3 vulnerabilities, 2 of high severity and one medium, affect
π¨ CVE-2025-2494
Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the β/softdial/phpconsole/upload.phpβ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
π@cveNotify
Unrestricted file upload to Softdial Contact Center of Sytel Ltd. This vulnerability could allow an attacker to upload files to the server via the β/softdial/phpconsole/upload.phpβ endpoint, which is protected by basic HTTP authentication. The files are uploaded to a directory exposed by the web application, which could result in code execution, giving the attacker full control over the server.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Softdial Contact Center
INCIBE has coordinated the publication of 3 vulnerabilities, 2 of high severity and one medium, affect
π¨ CVE-2025-2495
Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the β/softdial/scheduler/save.phpβ resource. The injected code will execute when the uploaded file is loaded via the β/softdial/scheduler/load.phpβ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
π@cveNotify
Stored Cross-Site Scripting (XSS) in Softdial Contact Center of Sytel Ltd. This vulnerability allows an attacker to upload XML files to the server with JavaScript code injected via the β/softdial/scheduler/save.phpβ resource. The injected code will execute when the uploaded file is loaded via the β/softdial/scheduler/load.phpβ resource and can redirect the victim to malicious sites or steal their login information to spoof their identity.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Softdial Contact Center
INCIBE has coordinated the publication of 3 vulnerabilities, 2 of high severity and one medium, affect
π¨ CVE-2024-12065
A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.
π@cveNotify
A local file inclusion vulnerability exists in haotian-liu/llava at commit c121f04. This vulnerability allows an attacker to access any file on the system by sending multiple crafted requests to the server. The issue is due to improper input validation in the gradio web UI component.
π@cveNotify
π¨ CVE-2024-12068
A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. This vulnerability allows an attacker to make the server perform HTTP requests to arbitrary URLs, potentially accessing sensitive data that is only accessible from the server, such as AWS metadata credentials.
π@cveNotify
A Server-Side Request Forgery (SSRF) vulnerability was discovered in haotian-liu/llava, affecting version git c121f04. This vulnerability allows an attacker to make the server perform HTTP requests to arbitrary URLs, potentially accessing sensitive data that is only accessible from the server, such as AWS metadata credentials.
π@cveNotify
π¨ CVE-2025-31162
Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.
π@cveNotify
Floating point exception in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via get_slope function.
π@cveNotify
π¨ CVE-2025-31163
Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via put_patternarc function.
π@cveNotify
Segmentation fault in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via put_patternarc function.
π@cveNotify
π¨ CVE-2025-31164
heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via create_line_with_spline.
π@cveNotify
heap-buffer overflow in fig2dev in version 3.2.9a allows an attacker to availability via local input manipulation via create_line_with_spline.
π@cveNotify
π¨ CVE-2025-32996
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
π@cveNotify
In http-proxy-middleware before 2.0.8 and 3.x before 3.0.4, writeBody can be called twice because "else if" is not used.
π@cveNotify
GitHub
fix(fixRequestBody): prevent multiple .write() calls (#1089) Β· chimurai/http-proxy-middleware@0209760
:zap: The one-liner node.js http-proxy middleware for connect, express, next.js and more - fix(fixRequestBody): prevent multiple .write() calls (#1089) Β· chimurai/http-proxy-middleware@0209760
π¨ CVE-2025-32997
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
π@cveNotify
In http-proxy-middleware before 2.0.9 and 3.x before 3.0.5, fixRequestBody proceeds even if bodyParser has failed.
π@cveNotify
GitHub
fix(fixRequestBody): check readableLength (#1096) Β· chimurai/http-proxy-middleware@1bdccbe
:zap: The one-liner node.js http-proxy middleware for connect, express, next.js and more - fix(fixRequestBody): check readableLength (#1096) Β· chimurai/http-proxy-middleware@1bdccbe
π¨ CVE-2025-32944
The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.
π@cveNotify
The vulnerability allows any authenticated user to cause the PeerTube server to stop functioning in a persistent manner. If user import is enabled (which is the default setting), any registered user can upload an archive for importing. The code uses the yauzl library for reading the archive. If the yauzl library encounters a filename that is considered illegal, it raises an exception that is uncaught by PeerTube, leading to a crash which repeats infinitely on startup.
π@cveNotify
GitHub
Release v7.1.1 Β· Chocobozzz/PeerTube
SECURITY
This release fixes important vulnerabilities of PeerTube <= 7.1.0, discovered by Ori Hollander of the JFrog Vulnerability Research team. Many thanks to them!
High severity Fix DoS and ...
This release fixes important vulnerabilities of PeerTube <= 7.1.0, discovered by Ori Hollander of the JFrog Vulnerability Research team. Many thanks to them!
High severity Fix DoS and ...
π¨ CVE-2025-32945
The vulnerability allows an existing user to add playlists to a different userβs channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
π@cveNotify
The vulnerability allows an existing user to add playlists to a different userβs channel using the PeerTube REST API. The vulnerable code sets the owner of the new playlist to be the user who performed the request, and then sets the associated channel to the channel ID supplied by the request, without checking if it belongs to the user.
π@cveNotify
GitHub
Release v7.1.1 Β· Chocobozzz/PeerTube
SECURITY
This release fixes important vulnerabilities of PeerTube <= 7.1.0, discovered by Ori Hollander of the JFrog Vulnerability Research team. Many thanks to them!
High severity Fix DoS and ...
This release fixes important vulnerabilities of PeerTube <= 7.1.0, discovered by Ori Hollander of the JFrog Vulnerability Research team. Many thanks to them!
High severity Fix DoS and ...
π¨ CVE-2025-8958
A vulnerability was identified in Tenda TX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability was identified in Tenda TX3 16.03.13.11_multi_TDE01. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
GitHub
Tenda TX3 `/goform/fast_setting_wifi_set` Interface SSID Buffer Overflow Leading to Denial of Service (DoS) Β· Issue #16 Β· alc9700jmo/CVE
Vulnerability Title Tenda TX3 /goform/fast_setting_wifi_set Interface SSID Buffer Overflow Leading to Denial of Service (DoS) Vulnerability Details Description In the Tenda TX3 router firmware US_T...
π¨ CVE-2025-31996
HCL Unica Platform is affected by unprotected files due to improper access controls. These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users.
π@cveNotify
HCL Unica Platform is affected by unprotected files due to improper access controls. These files may contain sensitive information such as private or system information that can be exploited by attackers to compromise the application, infrastructure, or users.
π@cveNotify
Hcl-Software
Security Bulletin: Unprotected files are impacting HCL Unica Platform - Customer Support
Unprotected files due to improper access controls are impacting HCL Unica Platform.
π¨ CVE-2025-7707
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
π@cveNotify
The llama_index library version 0.12.33 sets the NLTK data directory to a subdirectory of the codebase by default, which is world-writable in multi-user environments. This configuration allows local users to overwrite, delete, or corrupt NLTK data files, leading to potential denial of service, data tampering, or privilege escalation. The vulnerability arises from the use of a shared cache directory instead of a user-specific one, making it susceptible to local data tampering and denial of service.
π@cveNotify
GitHub
v0.13.0 release (#19571) Β· run-llama/llama_index@9881639
LlamaIndex is the leading framework for building LLM-powered agents over your data. - v0.13.0 release (#19571) Β· run-llama/llama_index@9881639
π¨ CVE-2025-2334
A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify
A vulnerability classified as problematic has been found in 274056675 springboot-openai-chatgpt e84f6f5. This affects the function deleteChat of the file /api/mjkj-chat/chat/ai/delete/chat of the component Chat History Handler. The manipulation of the argument chatListId leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.
π@cveNotify