π¨ CVE-2025-54159
Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.
π@cveNotify
Missing authorization vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows remote attackers to delete arbitrary files via unspecified vectors.
π@cveNotify
Synology
Synology_SA_25_08 | Synology Inc.
Synology Product Security Advisory
π¨ CVE-2025-54160
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.
π@cveNotify
Improper limitation of a pathname to a restricted directory ('Path Traversal') vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.2-13960 allows local users to execute arbitrary code via unspecified vectors.
π@cveNotify
Synology
Synology_SA_25_08 | Synology Inc.
Synology Product Security Advisory
π¨ CVE-2025-8074
Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors.
π@cveNotify
Origin validation error vulnerability in BeeDrive in Synology BeeDrive for desktop before 1.4.3-13973 allows local users to write arbitrary files with non-sensitive information via unspecified vectors.
π@cveNotify
Synology
Synology_SA_25_09 | Synology Inc.
Synology Product Security Advisory
π¨ CVE-2025-6591
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.
This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
π@cveNotify
Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php.
This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0.
π@cveNotify
Phabricator
T392276 CVE-2025-6591: HTML injection in API action=feedcontributions output from i18n message
This is basically the same issue as {T386175}, except in the API's action=feedcontributions class.
π¨ CVE-2025-46651
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.
π@cveNotify
Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services.
π@cveNotify
GitHub
tinyfilemanager-security-advisories/CVE-2025-46651.md at main Β· RobertoLuzanilla/tinyfilemanager-security-advisories
Contribute to RobertoLuzanilla/tinyfilemanager-security-advisories development by creating an account on GitHub.
π¨ CVE-2025-54700
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Makeaholic allows PHP Local File Inclusion. This issue affects Makeaholic: from n/a through 1.8.4.
π@cveNotify
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Makeaholic allows PHP Local File Inclusion. This issue affects Makeaholic: from n/a through 1.8.4.
π@cveNotify
Patchstack
Local File Inclusion in WordPress Makeaholic Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2025-54701
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3.
π@cveNotify
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeMove Unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through 2.6.3.
π@cveNotify
Patchstack
Local File Inclusion in WordPress Unicamp Theme
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
π¨ CVE-2022-50524
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Check return value after calling platform_get_resource()
platform_get_resource() may return NULL pointer, we need check its
return value to avoid null-ptr-deref in resource_size().
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
iommu/mediatek: Check return value after calling platform_get_resource()
platform_get_resource() may return NULL pointer, we need check its
return value to avoid null-ptr-deref in resource_size().
π@cveNotify
π¨ CVE-2022-50525
In the Linux kernel, the following vulnerability has been resolved:
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
iommu/fsl_pamu: Fix resource leak in fsl_pamu_probe()
The fsl_pamu_probe() returns directly when create_csd() failed, leaving
irq and memories unreleased.
Fix by jumping to error if create_csd() returns error.
π@cveNotify
π¨ CVE-2022-50526
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502664/
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
drm/msm/dp: fix memory corruption with too many bridges
Add the missing sanity check on the bridge counter to avoid corrupting
data beyond the fixed-sized bridge array in case there are ever more
than eight bridges.
Patchwork: https://patchwork.freedesktop.org/patch/502664/
π@cveNotify
π¨ CVE-2022-50527
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the
requested memory exists, else we get a kernel oops when dereferencing "man".
v2: Make the patch standalone, i.e. not dependent on local patches.
v3: Preserve old behaviour and just check that the manager pointer is not
NULL.
v4: Complain if GTT domain requested and it is uninitialized--most likely a
bug.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix size validation for non-exclusive domains (v4)
Fix amdgpu_bo_validate_size() to check whether the TTM domain manager for the
requested memory exists, else we get a kernel oops when dereferencing "man".
v2: Make the patch standalone, i.e. not dependent on local patches.
v3: Preserve old behaviour and just check that the manager pointer is not
NULL.
v4: Complain if GTT domain requested and it is uninitialized--most likely a
bug.
π@cveNotify
π¨ CVE-2022-50514
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix refcount leak on error path
When failing to allocate report_desc, opts->refcnt has already been
incremented so it needs to be decremented to avoid leaving the options
structure permanently locked.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
usb: gadget: f_hid: fix refcount leak on error path
When failing to allocate report_desc, opts->refcnt has already been
incremented so it needs to be decremented to avoid leaving the options
structure permanently locked.
π@cveNotify
π¨ CVE-2022-50515
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
If construction of the array of work queues to handle hpd_rx_irq offload
work fails, we need to unwind. Destroy all the created workqueues and
the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
π@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
If construction of the array of work queues to handle hpd_rx_irq offload
work fails, we need to unwind. Destroy all the created workqueues and
the allocated memory for the hpd_rx_irq_offload_work_queue struct array.
π@cveNotify
π¨ CVE-2024-32761
Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occurs, it may leak up to 64 bytes of non-contiguous randomized bytes. Under rare conditions, this may lead to a TMM restart, affecting availability. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
π@cveNotify
Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occurs, it may leak up to 64 bytes of non-contiguous randomized bytes. Under rare conditions, this may lead to a TMM restart, affecting availability. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated
π@cveNotify
F5
BIG-IP TMM tenants on VELOS and rSeries vulnerability CVE-2024-32761
Security Advisory Description Under certain conditions, a data leak may occur in the Traffic Management Microkernels (TMMs) of BIG-IP tenants running on VELOS and rSeries platforms. This leak occurs randomly and cannot be deliberately triggered. If it occursβ¦
π¨ CVE-2025-23239
When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker to cross a security boundary.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
BIG-IP iControl REST vulnerability CVE-2025-23239
Security Advisory Description When running in Appliance mode, and logged into a highly-privileged role, an authenticated remote command injection vulnerability exists in an undisclosed iControl REST endpoint. A successful exploit can allow the attacker toβ¦
π¨ CVE-2025-24319
When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
BIG-IP Next Central Manager vulnerability CVE-2025-24319
Security Advisory Description When BIG-IP Next Central Manager is running, undisclosed requests to the BIG-IP Next Central Manager API can cause the BIG-IP Next Central Manager Node's Kubernetes service to terminate. (CVE-2025-24319) Impact This vulnerabilityβ¦
π¨ CVE-2025-54500
An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack).
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames in order to break the max concurrent streams limit (HTTP/2 MadeYouReset Attack).
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
HTTP/2 vulnerability CVE-2025-54500
Security Advisory Description An HTTP/2 implementation flaw allows a denial-of-service (DoS) that uses malformed HTTP/2 control frames to break the maximum concurrent streams limit (HTTP/2 MadeYouReset Attack). (CVE-2025-54500) Impact This vulnerability allowsβ¦
β€1
π¨ CVE-2025-53868
When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode restrictions using undisclosed commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
When running in Appliance mode, a highly privileged authenticated attacker with access to SCP and SFTP may be able to bypass Appliance mode restrictions using undisclosed commands. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
BIG-IP SCP and SFTP vulnerability CVE-2025-53868
Security Advisory Description When running in Appliance mode, a highly privileged authenticated attacker with access to Secure Copy (SCP) protocol and SFTP may be able to bypass Appliance mode restrictions using undisclosed commands. (CVE-2025-53868) Impactβ¦
π¨ CVE-2025-58153
Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) may experience a lockup of the HSB.
Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated.
π@cveNotify
F5
BIG-IP HSB vulnerability CVE-2025-58153
Security Advisory Description Under undisclosed traffic conditions along with conditions beyond the attacker's control, hardware systems with a High-Speed Bridge (HSB) and an embedded Packet Velocity Acceleration (ePVA) chip may experience a lockup ofβ¦
π¨ CVE-2024-42642
Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller. NOTE: The supplier states that this vulnerability was fully remediated in December 2024 and that updated firmware is available through Crucialβs official support page.
π@cveNotify
Micron Crucial MX500 Series Solid State Drives M3CR046 is vulnerable to Buffer Overflow, which can be triggered by sending specially crafted ATA packets from the host to the drive controller. NOTE: The supplier states that this vulnerability was fully remediated in December 2024 and that updated firmware is available through Crucialβs official support page.
π@cveNotify
π¨ CVE-2018-20834
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
π@cveNotify
A vulnerability was found in node-tar before version 4.4.2 (excluding version 2.2.2). An Arbitrary File Overwrite issue exists when extracting a tarball containing a hardlink to a file that already exists on the system, in conjunction with a later plain file with the same name as the hardlink. This plain file content replaces the existing file content. A patch has been applied to node-tar v2.2.2).
π@cveNotify