π¨ CVE-2025-41110
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
π@cveNotify
Encrypted WiFi and SSH credentials were found in the Ghost Robotics Vision 60 v0.27.2 APK. This vulnerability allows an attacker to connect to the robot's WiFi and view all its data, as it runs on ROS 2 without default authentication. In addition, the attacker can connect via SSH and gain full control of the robot, which could cause physical damage to the robot itself or its environment.
π@cveNotify
www.incibe.es
Multiple vulnerabilities in Ghost Robotics' Vision 60
INCIBE has coordinated the publication of three vulnerabilities, one critical and two high severity, a
π¨ CVE-2025-11750
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.
π@cveNotify
In langgenius/dify-web version 1.6.0, the authentication mechanism reveals the existence of user accounts by returning different error messages for non-existent and existing accounts. Specifically, when a login or registration attempt is made with a non-existent username or email, the system responds with a message such as "account not found." Conversely, when the username or email exists but the password is incorrect, a different error message is returned. This discrepancy allows an attacker to enumerate valid user accounts by analyzing the error responses, potentially facilitating targeted social engineering, brute force, or credential stuffing attacks.
π@cveNotify
π¨ CVE-2025-11844
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
π@cveNotify
Hugging Face Smolagents version 1.20.0 contains an XPath injection vulnerability in the search_item_ctrl_f function located in src/smolagents/vision_web_browser.py. The function constructs an XPath query by directly concatenating user-supplied input into the XPath expression without proper sanitization or escaping. This allows an attacker to inject malicious XPath syntax that can alter the intended query logic. The vulnerability enables attackers to bypass search filters, access unintended DOM elements, and disrupt web automation workflows. This can lead to information disclosure, manipulation of AI agent interactions, and compromise the reliability of automated web tasks. The issue is fixed in version 1.22.0.
π@cveNotify
GitHub
Fix XPath injection in search_item_ctrl_f (#1768) Β· huggingface/smolagents@f570ed5
π€ smolagents: a barebones library for agents that think in code. - Fix XPath injection in search_item_ctrl_f (#1768) Β· huggingface/smolagents@f570ed5
π¨ CVE-2024-6322
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
π@cveNotify
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource. The account must have prior query access to the impacted datasource.
π@cveNotify
Grafana Labs
Authorization Bypass in Plugin Routes in Grafana | Grafana Labs
Access control for plugin data sources protected by the ReqActions json field of the plugin.json is bypassed if the user or service account is granted associated access to any other data source, as the ReqActions check was not scoped to each specific datasource.β¦
π¨ CVE-2024-30134
The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.
π@cveNotify
The HCL Traveler for Microsoft Outlook executable (HTMO.exe) is being flagged as potentially Malicious Software or an Unrecognized Application.
π@cveNotify
π¨ CVE-2024-30132
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
π@cveNotify
HCL Nomad server on Domino did not configure certain HTTP Security headers by default which could allow an attacker to obtain sensitive information via unspecified vectors.
π@cveNotify
Hcl-Software
Security Bulletin: Missing default HTTP security headers affect HCL Nomad server on Domino (CVE-2024-30132) - Customer Support
HCL Nomad server on Domino is affected by missing default security headers which could allow an attacker
π¨ CVE-2024-47876
Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability.
π@cveNotify
Sakai is a Collaboration and Learning Environment. Starting in version 23.0 and prior to version 23.2, kernel users created with type roleview can log in as a normal user. This can result in illegal access being granted to the system. Version 23.3 fixes this vulnerability.
π@cveNotify
GitHub
Merge commit from fork Β· sakaiproject/sakai@a9aadd9
https://sakaiproject.atlassian.net/browse/SAK-50571
π¨ CVE-2024-30133
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
π@cveNotify
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability. The application does not sufficiently manage its control flow during execution, creating conditions in which the control flow can be modified in unexpected ways.
π@cveNotify
Hcl-Software
Security Bulletin: HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability (CVE-2024-30133) -β¦
HCL Traveler for Microsoft Outlook (HTMO) is susceptible to a control flow vulnerability which could
π¨ CVE-2024-30109
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
π@cveNotify
HCL DRYiCE AEX is impacted by a lack of clickjacking protection in the AEX web application. An attacker can use multiple transparent or opaque layers to trick a user into clicking on a button or link on another page than the one intended.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
π¨ CVE-2024-30110
HCL DRYiCE
AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which
can cause the system to behave in unexpected ways.
π@cveNotify
HCL DRYiCE
AEX product is impacted by lack of input validation vulnerability in a particular web application. A malicious script can be injected into a system which
can cause the system to behave in unexpected ways.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
π¨ CVE-2024-30111
HCL DRYiCE AEX product is impacted by Missing
Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted
device due to which malicious users can gain unauthorized access to the rooted
devices, compromising security and potentially leading to data breaches or
other malicious activities.
π@cveNotify
HCL DRYiCE AEX product is impacted by Missing
Root Detection vulnerability in the mobile application. The mobile app can be installed in the rooted
device due to which malicious users can gain unauthorized access to the rooted
devices, compromising security and potentially leading to data breaches or
other malicious activities.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
π¨ CVE-2024-30135
HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.
π@cveNotify
HCL DRYiCE AEX is potentially impacted by disclosure of sensitive information in the mobile application when a snapshot is taken.
π@cveNotify
Hcl-Software
Security Bulletin: Multiple security vulnerabilities affect HCL DRYiCE AEX - Customer Support
HCL DRYiCE AEX is affected by multiple security vulnerabilities.
π¨ CVE-2024-30130
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information which could potentially give an attacker the ability to acquire the sensitive information.
π@cveNotify
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information which could potentially give an attacker the ability to acquire the sensitive information.
π@cveNotify
Hcl-Software
Security Bulletin: HCL Nomad server on Domino is affected by a use of web browser cache containing sensitive information vulnerabilityβ¦
HCL Nomad server on Domino is vulnerable to the cache containing sensitive information, potentially giving
π¨ CVE-2024-30128
HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.
π@cveNotify
HCL Nomad server on Domino is affected by an open proxy vulnerability in which an unauthenticated attacker can mask their original source IP address. This may enable an attacker to trick the user into exposing sensitive information.
π@cveNotify
Hcl-Software
Security Bulletin: An open proxy vulnerability affects HCL Nomad server on Domino (CVE-2024-30128) - Customer Support
HCL Nomad server on Domino is affected by an open proxy vulnerability in which attackers can mask their
π¨ CVE-2019-5544
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
π@cveNotify
OpenSLP as used in ESXi and the Horizon DaaS appliances has a heap overwrite issue. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.8.
π@cveNotify