CVE Brief Security Intelligence

The Advanced Woo Labels plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 2

DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information

FreeScout is a free help desk and shared inbox built with PHP's Laravel framework

A security flaw in ImageMagick, a popular image manipulation software, allows for potential exploitation during the processing of digital images.

The WPGSI: Spreadsheet Integration plugin for WordPress is vulnerable to unauthorized modification and loss of data due to missing capability checks and an insecure authentication mechanism on the `wpgsi_callBackFuncAccept` and `wpgsi_callBackFuncUpdate` REST API functions in all versions up to, and including, 3

The Geo Mashup plugin for WordPress is vulnerable to SQL Injection via the 'sort' parameter in all versions up to, and including, 1

The Responsive Lightbox & Gallery WordPress plugin before 2

Use-after-free in the DOM: Core & HTML component

Valkey is a distributed key-value database

Dell Wyse Management Suite, versions prior to WMS 5

OpenEMR is a free and open source electronic health records and medical practice management application

Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios

A vulnerability in the Valkey distributed key-value database could allow attackers to compromise database operations or data integrity.

A security issue in the Valkey key-value database management system may lead to unauthorized exploitation of database functions or service disruption.

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior use RC4 with a hard-coded key embedded in client-side JavaScript

Improper certificate validation (CWE-295) in JXcore JXM master allows for potential Man-in-the-Middle (MitM) attacks and data interception.

A vulnerability was determined in SourceCodester Student Result Management System 1

Dell Repository Manager (DRM), versions prior to 3

A vulnerability has been found in itsourcecode Document Management System 1

Dell Wyse Management Suite, versions prior to WMS 5

A vulnerability was detected in itsourcecode Event Management System 1

A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1

A weakness has been identified in itsourcecode Document Management System 1

A security vulnerability has been detected in itsourcecode Document Management System 1

A security flaw has been discovered in itsourcecode News Portal Project 1

A weakness has been identified in itsourcecode News Portal Project 1

A vulnerability was determined in SourceCodester Simple and Nice Shopping Cart Script 1

A vulnerability was detected in itsourcecode College Management System 1

A flaw has been found in itsourcecode College Management System 1

A vulnerability has been found in itsourcecode Document Management System 1

A vulnerability was found in itsourcecode News Portal Project 1

A vulnerability has been found in Tenda AC8 16

A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5

A vulnerability was determined in Tenda F453 1

A vulnerability was identified in Tenda F453 1

A security flaw has been discovered in Tenda F453 1

A weakness has been identified in Tenda F453 1

A security vulnerability has been detected in Tenda F453 1

SummaryThis advisory addresses a SQL injection vulnerability in the API endpoint used for retrieving contact activities

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could run an unauthorized command

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command

Tenda FH1203 V2

NVIDIA Cumulus Linux and NVOS products contain a vulnerability in the NVUE interface, where a low-privileged user could inject a command

A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5

A vulnerability in the New API large language model (LLM) gateway and AI asset management system could allow for unauthorized access or manipulation of AI resources.

A privilege escalation (PE) vulnerability in the Tencent iOA app thru 210

A privilege escalation (PE) vulnerability in the Tencent PC Manager app thru 17

A vulnerability was determined in UTT HiPER 810G up to 1

A vulnerability was identified in UTT HiPER 810G up to 1

yt-dlp is a command-line audio/video downloader

Use-after-free in the Storage: IndexedDB component

MindsDB is a platform for building artificial intelligence from enterprise data

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain a command injection vulnerability in the traceroute diagnostic function of the affected device web management interface

Versions of the Traccar open-source GPS tracking system starting with 6

OpenEMR is a free and open source electronic health records and medical practice management application

ImageMagick is free and open-source software used for editing and manipulating digital images

changedetection

ImageMagick is free and open-source software used for editing and manipulating digital images

Karakeep is a elf-hostable bookmark-everything app

Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior expose user passwords in plaintext within the administrative interface and HTTP responses, allowing recovery of valid credentials

OpenEMR is a free and open source electronic health records and medical practice management application

RustFS is a distributed object storage system built in Rust

TOTOLink X5000R v9

When the "Silent Just-In-Time Provisioning" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users

ImageMagick is free and open-source software used for editing and manipulating digital images

ImageMagick is free and open-source software used for editing and manipulating digital images

ImageMagick is free and open-source software used for editing and manipulating digital images

Binardat 10G08-0800GSM network switch firmware versions prior to V300SP10260209 store a user password in a client-side cookie as a Base64-encoded value accessible via the web interface

Fiber is an Express inspired web framework written in Go

ImageMagick is free and open-source software used for editing and manipulating digital images

ImageMagick is free and open-source software used for editing and manipulating digital images

libtiff up to v4

A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1

A vulnerability has been found in erzhongxmu JEEWMS 3

Versions of the Traccar open-source GPS tracking system up to and including 6

A vulnerability was determined in DataLinkDC dinky up to 1

A flaw was found in the 389-ds-base server

Coturn is a free open source implementation of TURN and STUN Server

Versions of the Traccar open-source GPS tracking system up to and including 6