CVE Brief Security Intelligence

Heap buffer overflow in libvpx in Google Chrome prior to 144

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion

Type Confusion in V8 in Google Chrome prior to 144

PhpIX 2012 Professional contains a SQL injection vulnerability in the 'id' parameter of product_detail

The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the 'infility_get_data' API action in all versions up to, and including, 2

PHP AddressBook 9

During the installation of the Native Access application, a privileged helper tool contains a vulnerability that could lead to unauthorized privilege escalation.

The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'OS_DataHub_Maps_Admin::add_file_and_ext' function in all versions up to, and including, 1

The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the 'WP_FOFT_Loader_Mimes::file_and_ext' function in all versions up to, and including, 2

jsPDF is a library to generate PDFs in JavaScript

The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3

A vulnerability in the OpenClaw (formerly Clawdbot) personal AI assistant could allow an attacker to compromise the host device or access private data.

GUnet OpenEclass 1

GUnet OpenEclass 1

An arbitrary file upload vulnerability in the AddFont() function of FPDF v1

Victor CMS 1

A security issue was discovered in ingress-nginx where the `nginx

A security issue was discovered in ingress-nginx cthe `rules

AnyDesk 5

The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2

60CycleCMS 2

OXID eShop versions 6

Victor CMS version 1

The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5

The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1

The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1

PMB 5

Fishing Reservation System 7

School ERP Pro 1

An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled

The Amazon SageMaker Python SDK before v3

NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue

A security vulnerability in IBM WebSphere Application Server Liberty 17 could allow for unauthorized actions. Users should consult vendor advisories for specific technical impact and patch details.

Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection

Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently

Memory Corruption when multiple threads simultaneously access a memory free API

VPN Unlimited 6

Multiple products by AKCE Software are vulnerable to SQL Injection due to improper neutralization of special elements, which could allow an attacker to execute unauthorized database commands.

IBM Business Automation Workflow containers V25 is subject to a high-severity vulnerability that could allow for unauthorized actions or data access within the containerized environment.

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection

An unauthenticated remote attacker can disrupt system operations by switching between configuration presets via HTTP, leading to unauthorized state changes and operational instability.

An unauthenticated remote attacker can disrupt industrial operations by unauthorized switching of configuration presets via the Modbus (TCP) protocol.

OpenTelemetry-Go, the Go implementation of the OpenTelemetry framework, contains a security vulnerability that may compromise telemetry data integrity or processing within affected applications.

A security vulnerability in the OpenList Frontend UI component could allow for unauthorized actions or data exposure within the OpenList application.

i-doit Open Source CMDB 1

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Karel Electronics Industry and Trade Inc

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system

A flaw was found in the libsoup HTTP library that could lead to a denial of service or potential code execution when processing malicious HTTP requests.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS

A vulnerability in the `lollms_generation_events

School ERP Pro 1

A security vulnerability in the OpenList Frontend UI component could lead to unauthorized access or manipulation of the OpenList application environment.

A flaw was found in Moodle

A weakness has been identified in Ziroom ZHOME A0101 1

A vulnerability in the FacturaScripts ERP and accounting software could allow an attacker to compromise sensitive financial data or take control of the application.

It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature

Unchecked IOMMU mapping errors during GPU memory mapping using scatter-gather lists lead to a memory corruption vulnerability.

Improper handling of memory pointers during the deallocation of GPU memory buffers results in a memory corruption vulnerability.

A memory corruption vulnerability exists in sensor property settings updates due to invalid input parameters in IOCTL calls.

The installer for Roland Cloud Manager contains a vulnerability that could allow for unauthorized system modifications or privilege escalation during installation.

Disk Sorter Enterprise 12

Disk Savvy Enterprise 12

Sync Breeze Enterprise 12

Adaware Web Companion 4

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles

A local attacker can cause a full device reset and password bypass by using an invalid reset file via a USB connection.

A Cross-Site Scripting (XSS) vulnerability exists in AKCE Software Technology R&D Industry and Trade Inc products due to improper neutralization of input during web page generation.

Kod8 Software Technologies products contain a Cross-Site Scripting (XSS) vulnerability caused by the failure to properly neutralize input during web page generation.

Seres Software syWEB is vulnerable to Reflected Cross-Site Scripting (XSS) due to improper input neutralization during web page generation.

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers

A vulnerability was identified in lunary-ai/lunary version 1. The flaw could allow for unauthorized actions or data access depending on the specific implementation of the platform.

A vulnerability in Hugging Face Text Generation Inference (TGI) version 3 could allow for unauthorized exploitation of the inference engine.

An exposure of sensitive information to an unauthorized actor exists in AKCE Software. This flaw allows attackers to access data that should be protected.

A flaw was found in Moodle

An issue was discovered in 6

An issue was discovered in 6

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system

Blesta 3

VirtualTablet Server 3

Netis E1+ version 1

Netis E1+ 1

Edimax EW-7438RPn 1

Fastify is a fast and low overhead web framework, for Node

A flaw was found in Moodle

A flaw was found in moodle

The Open eClass platform (formerly known as GUnet eClass) is a complete course management system

A security flaw has been discovered in Ziroom ZHOME A0101 1

An OS command injection vulnerability exists in Elecom WRC-X1500GS-B and WRC-X1500GSA-B routers, allowing for arbitrary command execution.

Blesta 3

Victor CMS 1

A cryptographic issue occurs when a Trusted Zone with outdated code is triggered by a High-Level Operating System (HLOS) providing incorrect input.

GUnet OpenEclass 1

iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles

A vulnerability in MLflow version 2 could lead to unauthorized access or data manipulation within the machine learning lifecycle platform.