🚨 CVE-2024-28102
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
🎖@cveNotify
JWCrypto implements JWK, JWS, and JWE specifications using python-cryptography. Prior to version 1.5.6, an attacker can cause a denial of service attack by passing in a malicious JWE Token with a high compression ratio. When the server processes this token, it will consume a lot of memory and processing time. Version 1.5.6 fixes this vulnerability by limiting the maximum token length.
🎖@cveNotify
GitHub
Address potential DoS with high compression ratio · latchset/jwcrypto@90477a3
Fixes CVE-2024-28102
Signed-off-by: Simo Sorce <simo@redhat.com>
Signed-off-by: Simo Sorce <simo@redhat.com>
🚨 CVE-2024-57004
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
🎖@cveNotify
Cross-Site Scripting (XSS) vulnerability in Roundcube Webmail 1.6.9 allows remote authenticated users to upload a malicious file as an email attachment, leading to the triggering of the XSS by visiting the SENT session.
🎖@cveNotify
GitHub
CVE/CVE-2024-57004 at main · riya98241/CVE
Publishing my CVE. Contribute to riya98241/CVE development by creating an account on GitHub.
🚨 CVE-2025-11374
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
🎖@cveNotify
Consul and Consul Enterprise’s (“Consul”) key/value endpoint is vulnerable to denial of service (DoS) due to incorrect Content Length header validation. This vulnerability, CVE-2025-11374, is fixed in Consul Community Edition 1.22.0 and Consul Enterprise 1.22.0, 1.21.6, 1.20.8 and 1.18.12.
🎖@cveNotify
HashiCorp Discuss
HCSEC-2025-29 - Consul's KV endpoint is vulnerable to denial of service
Bulletin ID: HCSEC-2025-29 Affected Products / Versions: Consul Community Edition up to 1.21.5, fixed in 1.22.0. Consul Enterprise up to 1.21.5, 1.20.7, 1.19.9 and 1.18.11 fixed in 1.22.0, 1.21.6, 1.20.8 and 1.18.12. Note: Consul Enterprise 1.19 is no…
🚨 CVE-2025-10021
A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.
🎖@cveNotify
A Use of Uninitialized Variable vulnerability exists in Open Design Alliance Drawings SDK static versions (mt) before 2026.12. Static object `COdaMfcAppApp theApp` may access `OdString::kEmpty` before its initialization. Due to undefined initialization order of static objects across translation units (Static Initialization Order Fiasco), the application accesses uninitialized memory. This results in application crash on startup, causing denial of service. Due to undefined behavior, memory corruption and potential arbitrary code execution cannot be ruled out in specific exploitation scenarios.
🎖@cveNotify
🚨 CVE-2025-4922
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
🎖@cveNotify
Nomad Community and Nomad Enterprise (“Nomad”) prefix-based ACL policy lookup can lead to incorrect rule application and shadowing. This vulnerability, identified as CVE-2025-4922, is fixed in Nomad Community Edition 1.10.2 and Nomad Enterprise 1.10.2, 1.9.10, and 1.8.14.
🎖@cveNotify
HashiCorp Discuss
HCSEC-2025-12 - Nomad Vulnerable To Incorrect ACL Policy Lookup Attached To A Job
Bulletin ID: HCSEC-2025-12 Affected Products / Versions: Nomad Community Edition from 1.4.0 up to 1.10.1, fixed in 1.10.2. Nomad Enterprise from 1.4.0 up to 1.10.1, 1.9.9, 1.8.13, fixed in 1.10.2, 1.9.10, and 1.8.14. Publication Date: June 11, 2025 Summary…
🚨 CVE-2025-49480
Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Out-of-bounds access in ASR180x 、ASR190x in lte-telephony, This vulnerability is associated with program files apps/lzma/src/LzmaEnc.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49481
Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router modules allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pbwork-queue.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router modules allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pbwork-queue.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-50182
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
🎖@cveNotify
urllib3 is a user-friendly HTTP client library for Python. Starting in version 2.2.0 and prior to 2.5.0, urllib3 does not control redirects in browsers and Node.js. urllib3 supports being used in a Pyodide runtime utilizing the JavaScript Fetch API or falling back on XMLHttpRequest. This means Python libraries can be used to make HTTP requests from a browser or Node.js. Additionally, urllib3 provides a mechanism to control redirects, but the retries and redirect parameters are ignored with Pyodide; the runtime itself determines redirect behavior. This issue has been patched in version 2.5.0.
🎖@cveNotify
GitHub
Merge commit from fork · urllib3/urllib3@7eb4a2a
urllib3 is a user-friendly HTTP client library for Python - Merge commit from fork · urllib3/urllib3@7eb4a2a
🚨 CVE-2025-5072
Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Resource leak vulnerability in ASR180x、ASR190x in con_mgr allows Resource Leak Exposure.This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49489
Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr
components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (con_mgr
components) allows Resource Leak Exposure. This vulnerability is associated with program files con_mgr/dialer_task.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2023-53945
BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port.
🎖@cveNotify
BrainyCP 1.0 contains an authenticated remote code execution vulnerability that allows logged-in users to inject arbitrary commands through the crontab configuration interface. Attackers can exploit the crontab endpoint by adding a malicious command that spawns a reverse shell to a specified IP and port.
🎖@cveNotify
🚨 CVE-2025-14591
In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked.
🎖@cveNotify
In Delphix Continuous Compliance version 2025.3.0 and later, following a recent bug fix to correctly handle CR+LF (Windows and DOS) End-of-Record (EOR) characters in delimited files, an issue was identified: using an incorrect EOR configuration can cause inaccurate parsing and leave personally identifiable information (PII) unmasked.
🎖@cveNotify
Perforce
TB137 - PII Leak Due to Change in EOR Handling
PII leak can occur as a result of change in EOR handling
🚨 CVE-2025-67826
An issue was discovered in K7 Ultimate Security 17.0.2045. A Local Privilege Escalation (LPE) vulnerability in the K7 Ultimate Security antivirus can be exploited by a local unprivileged user on default installations of the product. Insecure access to a named pipe allows unprivileged users to edit any registry key, leading to a full compromise as SYSTEM.
🎖@cveNotify
An issue was discovered in K7 Ultimate Security 17.0.2045. A Local Privilege Escalation (LPE) vulnerability in the K7 Ultimate Security antivirus can be exploited by a local unprivileged user on default installations of the product. Insecure access to a named pipe allows unprivileged users to edit any registry key, leading to a full compromise as SYSTEM.
🎖@cveNotify
🚨 CVE-2025-67443
Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.
🎖@cveNotify
Schlix CMS before v2.2.9-5 is vulnerable to Cross Site Scripting (XSS). Due to lack of javascript sanitization in the login form, incorrect login attempts in logs are triggered as XSS in the admin panel.
🎖@cveNotify
Gist
CVE-2025-67443.txt
GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2019-10648
Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.
🎖@cveNotify
Robocode through 1.9.3.5 allows remote attackers to cause external service interaction (DNS), as demonstrated by a query for a unique subdomain name within an attacker-controlled DNS zone, because of a .openStream call within java.net.URL.
🎖@cveNotify
GitHub
Bug-406: DNS interaction is not blocked by Robocode's security manage… · robo-code/robocode@836c846
…r + test(s) to verify the fix
🚨 CVE-2025-25038
An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.
🎖@cveNotify
An OS command injection vulnerability exists in MiniDVBLinux version 5.4 and earlier. The system’s web-based management interface fails to properly sanitize user-supplied input before passing it to operating system commands. A remote unauthenticated attacker can exploit this vulnerability to execute arbitrary commands as the root user, potentially compromising the entire device. Exploitation evidence was observed by the Shadowserver Foundation on 2024-04-10 UTC.
🎖@cveNotify
Cxsecurity
MiniDVBLinux 5.4 SVDRP Control - CXSecurity.com
LiquidWorm has realised a new security note MiniDVBLinux 5.4 SVDRP Control
🚨 CVE-2025-49490
Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure.
This vulnerability is associated with program files router/sms/sms.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Resource leak vulnerability in ASR180x in router allows Resource Leak Exposure.
This vulnerability is associated with program files router/sms/sms.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49488
Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router
components
allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pb.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Improper Resource Shutdown or Release vulnerability in ASR180x 、ASR190x in router
components
allows Resource Leak Exposure. This vulnerability is associated with program files router/phonebook/pb.c.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49491
Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (traffic_stat modules) allows Resource Leak Exposure. This vulnerability is associated with program files traffic_stat/traffic_service/traffic_service.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Improper Resource Shutdown or Release vulnerability in ASR Falcon_Linux、Kestrel、Lapwing_Linux on Linux (traffic_stat modules) allows Resource Leak Exposure. This vulnerability is associated with program files traffic_stat/traffic_service/traffic_service.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49492
Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun. This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Out-of-bounds write in ASR180x in lte-telephony, May cause a buffer underrun. This vulnerability is associated with program files apps/atcmd_server/src/dev_api.C.
This issue affects Falcon_Linux、Kestrel、Lapwing_Linux: before v1536.
🎖@cveNotify
Asrmicro
Security Center
ASR Microelectronics Co., Ltd. (ASR, 688220.SH)was established in April 2015 and is headquartered at Zhang Jiang Hi-tech Park, Shanghai. It operates development and support centers in Beijing, Nanjing, Shenzhen, Hefei, Dalian, Chengdu, Xi’an and other mar
🚨 CVE-2025-49113
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
🎖@cveNotify
Roundcube Webmail before 1.5.10 and 1.6.x before 1.6.11 allows remote code execution by authenticated users because the _from parameter in a URL is not validated in program/actions/settings/upload.php, leading to PHP Object Deserialization.
🎖@cveNotify
fearsoff.org
Roundcube ≤ 1.6.10 Post-Auth RCE via PHP Object Deserialization [CVE-2025-49113]
A deep technical breakdown of CVE-2025-49113, a critical Roundcube vulnerability involving PHP session serialization. Learn how the bug was discovered, exploited, and responsibly disclosed with full PoC and recommendations for defenders and developers. Kirill…