Vulnerability intelligence

CVE-2025-49113 is a remote code execution vulnerability affecting Roundcube Webmail versions before 1.5.10 and 1.6.x before 1.6.11. It stems from the insufficient validation of the `_from` parameter in the `program/actions/settings/upload.php` file. This lack of validation allows for PHP Object Deserialization, potentially enabling authenticated users to execute arbitrary code on the Roundcube Webmail server. The vulnerability has been addressed in Roundcube Webmail versions 1.5.10 and 1.6.11.

CVE-2025-4123 is a cross-site scripting (XSS) vulnerability found in Grafana. It stems from a combination of client path traversal and an open redirect issue within the handling of custom frontend plugins. This flaw allows attackers to redirect users to malicious websites and execute arbitrary JavaScript code. The vulnerability is particularly concerning because it can be exploited even without editor permissions, especially if anonymous access is enabled in Grafana. Furthermore, if the Grafana Image Renderer plugin is installed, the vulnerability can be escalated to a full read Server-Side Request Forgery (SSRF), potentially exposing internal services and cloud metadata. All supported versions of Grafana OSS and Grafana Enterprise, starting from Grafana 8 are affected.

CVE-2025-0913 is associated with multiple vulnerabilities across different software. One vulnerability affects the Slider & Popup Builder by Depicter plugin for WordPress. Specifically, it is a generic SQL Injection vulnerability present in versions up to and including 3.6.1. The vulnerability lies in the 's' parameter due to insufficient escaping of user-supplied input and inadequate preparation of the existing SQL query. Another vulnerability, CVE-2025-0913, is found in Ashlar-Vellum Cobalt related to CO file parsing. This use-after-free vulnerability allows remote attackers to execute arbitrary code on affected installations. Exploitation requires user interaction, such as opening a malicious file. The flaw stems from the lack of validation of an object's existence before operations are performed on it.

CVE-2025-21480 is an incorrect authorization vulnerability found in Qualcomm's Adreno GPU driver, specifically within the Graphics component. This flaw can lead to memory corruption due to unauthorized command execution in the GPU microcode when a specific sequence of commands is processed. The vulnerability is one of three zero-day flaws that were actively exploited in targeted attacks. Patches for this issue have been made available to OEMs, with a strong recommendation to deploy the update on affected devices as soon as possible.

CVE-2025-27038 is a use-after-free vulnerability found in the Graphics component of Qualcomm's Adreno GPU drivers. This vulnerability can lead to memory corruption while rendering graphics, specifically when using the Adreno GPU drivers in Chrome. Qualcomm has released patches for this vulnerability, along with CVE-2025-21479 and CVE-2025-21480, and recommends that OEMs deploy the updates to affected devices as soon as possible. There are indications that CVE-2025-27038 may be under limited, targeted exploitation.

CVE-2025-5419 is an out-of-bounds read and write vulnerability found in the V8 JavaScript and WebAssembly engine of Google Chrome. Specifically, it affects Google Chrome versions prior to 137.0.7151.68. According to the NIST's National Vulnerability Database (NVD), this vulnerability could allow a remote attacker to potentially exploit heap corruption through a crafted HTML page. The vulnerability was reported to Google on May 27, 2025, by Clement Lecigne and Benoît Sevens of Google's Threat Analysis Group (TAG). Google has confirmed that an exploit for CVE-2025-5419 exists in the wild and has released a security update to address the issue. A configuration change was pushed to the Stable version of Chrome across all platforms on May 28, 2025, to mitigate the bug.