๐จ CVE-2025-62491
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
๐@cveNotify
A Use-After-Free (UAF) vulnerability exists in the QuickJS engine's standard library when iterating over the global list of unhandled rejected promises (ts->rejected_promise_list).
* The function js_std_promise_rejection_check attempts to iterate over the rejected_promise_list to report unhandled rejections using a standard list loop.
* The reason for a promise rejection is processed inside the loop, including calling js_std_dump_error1(ctx, rp->reason).
* If the promise rejection reason is an Error object that defines a custom property getter (e.g., via Object.defineProperty), this getter is executed during the error dumping process.
* The malicious custom getter can execute JavaScript code that calls catch() on the same rejected promise being processed.
* Calling catch() internally triggers js_std_promise_rejection_tracker, which then removes and frees the current promise entry (JSRejectedPromiseEntry) from the rejected_promise_list.
* Since the list iteration continues using the now-freed memory pointer (el), the subsequent loop access results in a Use-After-Free condition.
๐@cveNotify
๐จ CVE-2025-62710
Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a nonโcryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or atโrest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.
๐@cveNotify
Sakai is a Collaboration and Learning Environment. Prior to versions 23.5 and 25.0, EncryptionUtilityServiceImpl initialized an AES256TextEncryptor password (serverSecretKey) using RandomStringUtils with the default java.util.Random. java.util.Random is a nonโcryptographic PRNG and can be predicted from limited state/seed information (e.g., start time window), substantially reducing the effective search space of the generated key. An attacker who can obtain ciphertexts (e.g., exported or atโrest strings protected by this service) and approximate the PRNG seed can feasibly reconstruct the serverSecretKey and decrypt affected data. SAK-49866 is patched in Sakai 23.5, 25.0, and trunk.
๐@cveNotify
GitHub
SAK-49866 use commons-text for generation ยท sakaiproject/sakai@bde0701
use SecureRandom
(cherry picked from commit baea15177800d796346e94cea5db1276ad0b58ba)
(cherry picked from commit baea15177800d796346e94cea5db1276ad0b58ba)
๐จ CVE-2025-41073
Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the โdirestudioโ parameter in โ/encuestas/integraweb[_v4]/integra/html/view/comprimir.phpโ.
๐@cveNotify
Path Traversal vulnerability in version 4.4.2236.1 of TESI Gandia Integra Total. This issue allows an authenticated attacker to download a ZIP file containing files from the server, including those located in parent directories (e.g., ..\..\..), by exploiting the โdirestudioโ parameter in โ/encuestas/integraweb[_v4]/integra/html/view/comprimir.phpโ.
๐@cveNotify
www.incibe.es
Path Traversal in Gandia Integra Total by TESI
INCIBE has coordinated the publication of a high-severity vulnerability affecting Gandia Integra Total
๐จ CVE-2025-61464
gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.
๐@cveNotify
gnuboard gnuboard4 v4.36.04 and before is vulnerable to Second-order SQL Injection via the search_table in bbs/search.php.
๐@cveNotify
GitHub
Second-order SQL Injection via variable pollution of search_table (identifier injection) in bbs/search.php ยท Issue #1 ยท gnuboard/gnuboard4
Issue Content Affected file: bbs/search.php Vulnerability: Variable pollution + second-order SQL injection (identifier position) Severity: High (exfiltration of sensitive data, logic bypass) Descri...
๐จ CVE-2023-41265
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
๐@cveNotify
An HTTP Request Tunneling vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows a remote attacker to elevate their privilege by tunneling HTTP requests in the raw HTTP request. This allows them to send requests that get executed by the backend server hosting the repository application. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.
๐@cveNotify
Qlik
Critical Security fixes for Qlik Sense Enterprise for Windows (CVE-2023-41266, CVE-2023-41265)
Executive Summary Two security issues in Qlik Sense Enterprise for Windows have been identified and patches made available. If the two vulnerabilities are combined and successfully exploited, these issues could lead to a compromise of the server runningโฆ
๐จ CVE-2025-1731
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
๐@cveNotify
An incorrect permission assignment vulnerability in the PostgreSQL commands of the Zyxel USG FLEX H series uOS firmware versions from V1.20 through V1.31 could allow an authenticated local attacker with low privileges to gain access to the Linux shell and escalate their privileges by crafting malicious scripts or modifying system configurations with administrator-level access through a stolen token. Modifying the system configuration is only possible if the administrator has not logged out and the token remains valid.
๐@cveNotify
Zyxel
Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H seriesโฆ
CVEs: CVE-2025-1731, CVE-2025-1732 Summary Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.โฆ
๐จ CVE-2025-1732
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
๐@cveNotify
An improper privilege management vulnerability in the recovery function of the Zyxel USG FLEX H series uOS firmware version V1.31 and earlier could allow an authenticated local attacker with administrator privileges to upload a crafted configuration file and escalate privileges on a vulnerable device.
๐@cveNotify
Zyxel
Zyxel security advisory for incorrect permission assignment and improper privilege management vulnerabilities in USG FLEX H seriesโฆ
CVEs: CVE-2025-1731, CVE-2025-1732 Summary Zyxel has released patches to address incorrect permission assignment and improper privilege management vulnerabilities in the USG FLEX H series firewalls. Users are advised to install them for optimal protection.โฆ
๐จ CVE-2025-41110
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
๐@cveNotify
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in Ghost Robotics' Vision 60
INCIBE has coordinated the publication of three vulnerabilities, one critical and two high severity, a
๐จ CVE-2025-11750
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.
๐@cveNotify
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.
๐@cveNotify
๐จ CVE-2025-11844
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
๐@cveNotify
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
๐@cveNotify
GitHub
Fix XPath injection in search_item_ctrl_f (#1768) ยท huggingface/smolagents@f570ed5
๐ค smolagents: a barebones library for agents that think in code. - Fix XPath injection in search_item_ctrl_f (#1768) ยท huggingface/smolagents@f570ed5
๐จ CVE-2024-6322
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
๐@cveNotify
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
๐@cveNotify
Grafana Labs
Authorization Bypass in Plugin Routes in Grafana | Grafana Labs
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource.โฆ
๐จ CVE-2024-30134
The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.
๐@cveNotify
The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.
๐@cveNotify
๐จ CVE-2024-30132
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
๐@cveNotify
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
๐@cveNotify
Hcl-Software
Security Bulletin: Missing default HTTP security headers affect HCL Nomad server on Domino (CVE-2024-30132) - Customer Support
HCL Nomad server on Domino is affected by missing default security headers which could allow an attacker
๐จ CVE-2024-47876
Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability.
๐@cveNotify
Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability.
๐@cveNotify
GitHub
Merge commit from fork ยท sakaiproject/sakai@a9aadd9
https://sakaiproject.atlassian.net/browse/SAK-50571
๐จ CVE-2024-30133
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
๐@cveNotify
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
๐@cveNotify
Hcl-Software
Security Bulletin: HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability (CVE-2024-30133) -โฆ
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability which could
๐จ CVE-2024-30109
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
๐@cveNotify
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
๐@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
๐จ CVE-2024-30110
HCL DRYiCE
AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which
can cause the system to behave in unexpected ways.
๐@cveNotify
HCL DRYiCE
AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which
can cause the system to behave in unexpected ways.
๐@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
๐จ CVE-2024-30111
HCL DRYiCE AEX product is impacted by Missing
Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted
device due to which malicious users can gain unauthorized access to the rooted
devices, compromising security and potentially leading to data breaches or
other malicious activities.
๐@cveNotify
HCL DRYiCE AEX product is impacted by Missing
Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted
device due to which malicious users can gain unauthorized access to the rooted
devices, compromising security and potentially leading to data breaches or
other malicious activities.
๐@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
๐จ CVE-2024-30135
HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.
๐@cveNotify
HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.
๐@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
๐จ CVE-2024-30130
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information which could potentially give an attacker the ability to acquire the sensitive information.
๐@cveNotify
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information which could potentially give an attacker the ability to acquire the sensitive information.
๐@cveNotify
Hcl-Software
Security Bulletin: HCL Nomad server on Domino is affected by a use of web browser cache containing sensitive information vulnerabilityโฆ
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information, potentially giving
๐จ CVE-2024-30128
HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.
๐@cveNotify
HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.
๐@cveNotify
Hcl-Software
Security Bulletin: An open proxy vulnerability affects HCL Nomad server on Domino (CVE-2024-30128) - Customer Support
HCL Nomad server on Domino is affected by an open proxy vulnerability in which attackers can mask their