Vulnerability intelligence

CVE-2023-28432 is an information disclosure vulnerability found in MinIO, a multi-cloud object storage framework. This flaw specifically impacts MinIO cluster deployments released between December 17, 2019 (RELEASE.2019-12-17T23-16-33Z) and March 20, 2023 (prior to RELEASE.2023-03-20T20-16-18Z). The vulnerability arises because MinIO, in these affected versions, returns all environment variables, including sensitive credentials like `MINIO_SECRET_KEY` and `MINIO_ROOT_PASSWORD`, through an unauthenticated API endpoint. This exposure of environment variables can allow unauthorized parties to gain access to critical information such as secret keys and passwords. The vulnerable code is located in the `VerifyHandler` function within the `bootstrap-peer-server.go` file of the MinIO source code. Users of distributed deployments are particularly affected. The issue was addressed in MinIO RELEASE.2023-03-20T20-16-18Z and later versions.

CVE-2025-54068 is a remote command execution (RCE) vulnerability found in Livewire, a full-stack framework for Laravel. Specifically, it affects Livewire v3 versions up to and including v3.6.3. The vulnerability stems from how certain component property updates are handled during hydration, which could allow unauthenticated attackers to execute arbitrary code. Exploitation requires a component to be mounted and configured in a particular way but does not require authentication or user interaction. The vulnerability lies in the `hydrateForUpdate` method within the `Livewire\Mechanisms\HandleComponents\HandleComponents` class. A specially crafted update payload can bypass validation and sanitization during the hydration process, causing the framework to interpret untrusted input as executable code. This issue has been patched in Livewire v3.6.4, and users are strongly encouraged to upgrade to this version or later as soon as possible. There are no known workarounds.

CVE-2025-49113 is a remote code execution vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. It stems from the insufficient validation of the `_from` parameter in the `program/actions/settings/upload.php` file. This lack of validation allows for PHP Object Deserialization, potentially enabling authenticated users to execute arbitrary code on the Roundcube Webmail server. The vulnerability has been addressed in Roundcube Webmail versions 1.5.10 and 1.6.11.

CVE-2025-68461 is a Cross-Site Scripting (XSS) vulnerability affecting Roundcube Webmail versions before 1.5.12 and 1.6 before 1.6.12. The vulnerability is caused by improper neutralization of input during web page generation, specifically through the `animate` tag in SVG documents. This vulnerability allows an attacker to inject malicious JavaScript code that executes in the victim's browser when viewing crafted SVG content within the webmail interface. The vulnerability can be exploited over a network without requiring any privileges or user interaction.

CVE-2025-49113 is a remote code execution vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. It stems from the insufficient validation of the `_from` parameter in the `program/actions/settings/upload.php` file. This lack of validation allows for PHP Object Deserialization, potentially enabling authenticated users to execute arbitrary code on the Roundcube Webmail server. The vulnerability has been addressed in Roundcube Webmail versions 1.5.10 and 1.6.11.

Dell RecoverPoint for Virtual Machines, versions prior to 6.0.3.1 HF1, contain a hardcoded credential vulnerability. This is considered critical as an unauthenticated remote attacker with knowledge of the hardcoded credential could potentially exploit this vulnerability leading to unauthorized access to the underlying operating system and root-level persistence. Dell recommends that customers upgrade or apply one of the remediations as soon as possible.