π¨ CVE-2025-12155
A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.100+
* 24.18.192+
* 25.0.69+
* 25.6.57+
* 25.8.39+
* 25.10.22+
π@cveNotify
A Command Injection vulnerability, resulting from improper file path sanitization (Directory Traversal) in Looker allows an attacker with Developer permission to execute arbitrary shell commands when a user is deleted on the host system.
Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted instances. No user action is required for these.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.
The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :
* 24.12.100+
* 24.18.192+
* 25.0.69+
* 25.6.57+
* 25.8.39+
* 25.10.22+
π@cveNotify
Google Cloud Documentation
Security Bulletins | Cloud Customer Care | Google Cloud Documentation
π¨ CVE-2025-12397
A SQL injection vulnerability was found in Looker Studio.
A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source.
This vulnerability was patched on 21 July 2025, and no customer action is needed.
π@cveNotify
A SQL injection vulnerability was found in Looker Studio.
A Looker Studio user with report view access could inject malicious SQL that would execute with the report owner's permissions. The vulnerability affected to reports with BigQuery as the data source.
This vulnerability was patched on 21 July 2025, and no customer action is needed.
π@cveNotify
Google Cloud Documentation
Security Bulletins | Cloud Customer Care | Google Cloud Documentation
π¨ CVE-2025-12409
A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources.
By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery.
This vulnerability was patched on 07 July 2025, and no customer action is needed.
π@cveNotify
A SQL injection vulnerability was discovered in Looker Studio that allowed for data exfiltration from BigQuery data sources.
By creating a malicious report with native functions enabled, and having the victim access the report, an attacker could execute injected SQL queries with the victim's permissions in BigQuery.
This vulnerability was patched on 07 July 2025, and no customer action is needed.
π@cveNotify
Google Cloud Documentation
Security Bulletins | Cloud Customer Care | Google Cloud Documentation
π¨ CVE-2025-41107
Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
π@cveNotify
Stored Cross Site Scripting (XSS) vulnerability in Smart School 7.0 due to lack of proper validation of user input when sending a POST request to '/online_admission', wich affects the parameters 'firstname', 'lastname', 'guardian_name' and others. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal his/her session cookie details.
π@cveNotify
www.incibe.es
Stored Cross-Site Scripting (XSS) in Smart School
INCIBE has coordinated the publication of a medium-severity vulnerability that affects Smart School, a
π¨ CVE-2025-12405
An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors.
A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report.
This vulnerability was patched on 21 July 2025, and no customer action is needed.
π@cveNotify
An improper privilege management vulnerability was found in Looker Studio. It impacted all JDBC-based connectors.
A Looker Studio user with report view access could make a copy of the report and execute arbitrary SQL that would run on the data source database due to the stored credentials attached to the report.
This vulnerability was patched on 21 July 2025, and no customer action is needed.
π@cveNotify
Google Cloud Documentation
Security Bulletins | Cloud Customer Care | Google Cloud Documentation
π¨ CVE-2025-41001
Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/options.php'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
Cross Site Scripting (XSS) vulnerability stored in SOPlanning v1.53.02, which consist of a stored XSS due to a lack of proper validation of user input by sending a POST request using the 'LOGOUT_REDIRECT' parameter in '/soplanning/www/process/options.php'. This vulnerability could allow a remote user to send a specially crafted query to an authenticated user and steal their cookie session details.
π@cveNotify
www.incibe.es
Cross-Site Scripting (XSS) in SOPlanning
INCIBE has coordinated the publication of a medium-severity vulnerability affecting SOPlanning, a plan
π₯1
π¨ CVE-2025-12938
A vulnerability was identified in projectworlds Online Admission System 1.0. Affected by this vulnerability is an unknown functionality of the file /process_login.php. The manipulation of the argument keywords leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
π@cveNotify
A vulnerability was identified in projectworlds Online Admission System 1.0. Affected by this vulnerability is an unknown functionality of the file /process_login.php. The manipulation of the argument keywords leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
π@cveNotify
GitHub
Projectworlds Online Attendance System Project V1.0 /process_login.php SQL injection Β· Issue #1 Β· juzidddd/CVE
Projectworlds Online Attendance System Project V1.0 /process_login.php SQL injection NAME OF AFFECTED PRODUCT(S) Β· Online Attendance System Vendor Homepage Β· https://projectworlds.com/free-projects...
β‘1π₯1
π¨ CVE-2025-11690
An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other usersβ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix.
π@cveNotify
An Insecure Direct Object Reference (IDOR) vulnerability exists in the vehicleId parameter, allowing unauthorized access to sensitive information of other usersβ vehicles. Exploiting this issue enables an attacker to retrieve data such as GPS coordinates, encryption keys, initialization vectors, model numbers, and fuel statistics belonging to other users, instead of being limited to their own vehicle data. The fix for this vulnerability is a server-side authorization fix.
π@cveNotify
advisories.ncsc.nl
NCSC NL | Beveiligingsadviezen
π¨ CVE-2025-12939
A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
A security flaw has been discovered in SourceCodester Interview Management System up to 1.0. Affected by this issue is some unknown functionality of the file /addCandidate.php. The manipulation of the argument candName results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be exploited.
π@cveNotify
GitHub
SOURCECODESTER Interview Management System Project V1.0 /addCandidate.php SQL injection and Input Validation Β· Issue #10 Β· puppytgyh/β¦
SOURCECODESTER Interview Management System Project V1.0 /addCandidate.php SQL injection and Input Validation NAME OF AFFECTED PRODUCT(S) Interview Management System Project Vendor Homepage https://...
π¨ CVE-2025-6032
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
π@cveNotify
A flaw was found in Podman. The podman machine init command fails to verify the TLS certificate when downloading the VM images from an OCI registry. This issue results in a Man In The Middle attack.
π@cveNotify
π¨ CVE-2025-4953
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
π@cveNotify
A flaw was found in Podman. In a Containerfile or Podman, data written to RUN --mount=type=bind mounts during the podman build is not discarded. This issue can lead to files created within the container appearing in the temporary build context directory on the host, leaving the created files accessible.
π@cveNotify
π¨ CVE-2025-12735
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
π@cveNotify
The expr-eval library is a JavaScript expression parser and evaluator designed to safely evaluate mathematical expressions with user-defined variables. However, due to insufficient input validation, an attacker can pass a crafted variables object into the evaluate() function and trigger arbitrary code execution.
π@cveNotify
GitHub
GitHub - jorenbroekema/expr-eval: Mathematical expression evaluator in JavaScript
Mathematical expression evaluator in JavaScript. Contribute to jorenbroekema/expr-eval development by creating an account on GitHub.
π¨ CVE-2025-64456
In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
π@cveNotify
In JetBrains ReSharper before 2025.2.4 missing signature verification in DPA Collector allows local privilege escalation
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64457
In JetBrains dotTrace before 2025.2.5 local privilege escalation possible via race condition
π@cveNotify
In JetBrains dotTrace before 2025.2.5 local privilege escalation possible via race condition
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64681
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
π@cveNotify
In JetBrains Hub before 2025.3.104992 a race condition allowed bypass of the user limit via invitations
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64682
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
π@cveNotify
In JetBrains Hub before 2025.3.104432 a race condition allowed bypass of the Agent-user limit
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64683
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
π@cveNotify
In JetBrains Hub before 2025.3.104432 information disclosure was possible via the Users API
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64684
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
π@cveNotify
In JetBrains YouTrack before 2025.3.104432 information disclosure was possible via the feedback form
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64685
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
π@cveNotify
In JetBrains YouTrack before 2025.3.104432 missing TLS certificate validation enabled data disclosure
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64686
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
π@cveNotify
In JetBrains YouTrack before 2025.3.104432 missing user principal cleanup led to reuse of incorrect authorization context
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.
π¨ CVE-2025-64687
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
π@cveNotify
In JetBrains YouTrack before 2025.3.104432 improper access control allowed modify MCP tool logic
π@cveNotify
JetBrains
Fixed security issues
This page contains information about resolved security issues, including description, severity, assigned CVEs, and the product versions in which they were resolved.