CVE Brief Security Intelligence

A high-severity security flaw has been discovered in Undertow, a flexible performant web server used in many Java-based applications.

Azure Data Explorer MCP Server is a Model Context Protocol (MCP) server that enables AI assistants to execute KQL queries and explore Azure Data Explorer (ADX/Kusto) databases through standardized interfaces

Kysely is a type-safe TypeScript SQL query builder

Kysely is a type-safe TypeScript SQL query builder

BentoML is a Python library for building online serving systems optimized for AI apps and model inference

HCL Aftermarket DPC is affected by SQL Injection which allows attacker to exploit this vulnerability to retrieve sensitive information from the database

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1

The JS Help Desk – AI-Powered Support & Ticketing System plugin for WordPress is vulnerable to SQL Injection via the `multiformid` parameter in the `storeTickets()` function in all versions up to, and including, 3

Group-Office is an enterprise customer relationship management and groupware tool

Happy DOM is a JavaScript implementation of a web browser without its graphical user interface

A SQL Injection vulnerability exists in SourceCodester Online Food Ordering System v1

ClearanceKit for macOS contains a vulnerability in its file-system access event interception, potentially allowing bypass of per-process access policies.

The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2

etcd is a distributed key-value store for the data of a distributed system

Sharp is a content management framework built for Laravel as a package

Wecodex Hotel CMS 1

Online Store System CMS 1

OpenBiz Cubi Lite 3

Daylight Studio FuelCMS v1

Sharp is a content management framework built for Laravel as a package

WeGIA is a web manager for charitable institutions

Pay is an open-source payment SDK extension package for various Chinese payment services

Docker BuildKit contains a vulnerability that could affect the efficiency and repeatability of build artifacts, potentially leading to unauthorized access or build-time exploits.

OS Command Injection vulnerability exists in BUFFALO Wi-Fi router products

Code injection vulnerability exists in BUFFALO Wi-Fi router products

WWBN AVideo is an open source video platform

PrestaShop is an open source e-commerce web application

A vulnerability was detected in Tenda AC5 15

A flaw has been found in Tenda AC5 15

A vulnerability has been found in Tenda AC5 15

A vulnerability was found in Tenda AC5 15

A vulnerability was determined in Tenda AC5 15

A vulnerability was determined in Tenda AC6 15

A vulnerability was identified in Tenda AC6 15

A flaw has been found in Tenda AC7 15

A vulnerability has been found in Tenda AC15 15

The 'POST /api/v2/files' endpoint does not sanitize the 'filename' parameter from the multipart form data, allowing an attacker to write files to arbitrary locations on the filesystem using path traversal sequences ('

Ubiquiti UniFi Network Controller prior to 5

ASP

The Twilio integration webhook handler accepts any POST request without validating Twilio's 'X-Twilio-Signature'

Spring AI's spring-ai-bedrock-converse contains a Server-Side Request Forgery (SSRF) vulnerability in BedrockProxyChatModel when processing multimodal messages that include user-supplied media URLs

A flaw was found in Red Hat OpenShift AI (RHOAI) llama-stack-operator

ORY Oathkeeper is an Identity & Access Proxy (IAP) and Access Control Decision API that authorizes HTTP requests based on sets of Access Rules

A weakness has been identified in Wavlink WL-NU516U1 260227

A security vulnerability has been detected in UTT HiPER 1250GW up to 3

The VSL privileged helper does utilize NSXPC for IPC

EVerest is an EV charging software stack

Ory Polis, formerly known as BoxyHQ Jackson, bridges or proxies a SAML login flow to OAuth 2

vLLM is an inference and serving engine for large language models (LLMs)

Incus is a system container and virtual machine manager

A vulnerability was found in Totolink LR350 9

A flaw was found in Undertow

A flaw was found in Undertow

Firecrawl version 2

Notesnook is a note-taking app

In TigerVNC before 1

A high-severity vulnerability has been identified in LibreChat, a ChatGPT clone, which may lead to unauthorized access or system compromise.

LinkAce is a self-hosted archive to collect website links

Boxoft wav-wma Converter 1

Nsauditor 3

PDF Explorer 1

PassFab RAR Password Recovery 9

PassFab Excel Password Recovery 8

River Past CamDo 3 contains a high-severity vulnerability that could lead to unauthorized system access or execution. This late-disclosure entry requires immediate review for legacy systems.

EVerest is an EV charging software stack

EVerest is an EV charging software stack

Shipping System CMS 1

Wecodex Restaurant CMS 1

SAT CFDI 3

Library CMS 1

KomSeo Cart 1

qdPM 9

WebOfisi E-Ticaret 4

EVerest is an EV charging software stack

Handlebars provides the power necessary to let users build semantic templates

Express XSS Sanitizer is Express 4

Problem in the Small HTTP Server v3

HCL Aftermarket DPC is affected by Missing Functional Level Access Control which will allow attacker to escalate his privileges and may compromise the application and may steal and manipulate the data

Tandoor Recipes is an application for managing recipes, planning meals, and building shopping lists

In the latest version of mlflow/mlflow, when the `basic-auth` app is enabled, tracing and assessment endpoints are not protected by permission validators

Handlebars provides the power necessary to let users build semantic templates

Handlebars provides the power necessary to let users build semantic templates

Mobile Next is an MCP server for mobile development and automation

A flaw was found in Foreman

Mattermost versions 11

Vulnerability related to an unquoted service path in Small HTTP Server 3

Allok Video Splitter 3

Zen C is a systems programming language that compiles to human-readable GNU C/C11

Gematik Authenticator securely authenticates users for login to digital health applications

Substance3D - Stager versions 3

InvenTree is an Open Source Inventory Management System

Dovecot SQL based authentication can be bypassed when auth_username_chars is cleared by admin

LibreChat is a ChatGPT clone with additional features

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files

OpenHands is software for AI-driven development

EVerest is an EV charging software stack

A vulnerability has been identified in CPCI85 Central Processing/Communication (All versions < V26

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files

Impact: A bad regular expression is generated any time you have three or more parameters within a single segment, separated by something that is not a period (