Activity

Vulnerability name

Samsung MagicINFO 9 Server Path Traversal Vulnerability

Product

Samsung MagicINFO 9 Server

Improper limitation of a pathname to a restricted directory vulnerability in Samsung MagicINFO 9 Server version before 21.1052 allows attackers to write arbitrary file as system authority.

This CVE references a Java Expression Language injection vulnerability in Ivanti EPMM, which allows a user with access to a particular API to execute arbitrary code. In conjunction with CVE-2025-4427 - an auth bypass vulnerability which gives access to the API in question - this can be used by an unauthenticated attacker. More information on exact vulnerable versions can be found [here](https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM) - you should patch immediately if vulnerable. Note that in the recommended deployment of EPMM, where the API is not accessible to the internet, the impact is reduced.)

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Vulnerability name

Ivanti Endpoint Manager Mobile (EPMM) Code Injection Vulnerability

Product

Ivanti Endpoint Manager Mobile (EPMM)

Remote Code Execution in API component in Ivanti Endpoint Manager Mobile 12.5.0.0 and prior on unspecified platforms allows authenticated attackers to execute arbitrary code via crafted API requests.

Vulnerability name

Ivanti Endpoint Manager Mobile (EPMM) Authentication Bypass Vulnerability

Product

Ivanti Endpoint Manager Mobile (EPMM)

An authentication bypass in the API component of Ivanti Endpoint Manager Mobile 12.5.0.0 and prior allows attackers to access protected resources without proper credentials via the API.

Vulnerability name

Srimax Output Messenger Directory Traversal Vulnerability

Product

Srimax Output Messenger

Output Messenger before 2.0.63 was vulnerable to a directory traversal attack through improper file path handling. By using ../ sequences in parameters, attackers could access sensitive files outside the intended directory, potentially leading to configuration leakage or arbitrary file access.

Vulnerability name

Synacor Zimbra Collaboration Suite (ZCS) Cross-Site Scripting (XSS) Vulnerability

Product

Synacor Zimbra Collaboration Suite (ZCS)

An issue was discovered in Zimbra Collaboration (ZCS) 9.0 and 10.0. A Cross-Site Scripting (XSS) vulnerability exists in the CalendarInvite feature of the Zimbra webmail classic user interface, because of improper input validation in the handling of the calendar header. An attacker can exploit this via an email message containing a crafted calendar header with an embedded XSS payload. When a victim views this message in the Zimbra webmail classic interface, the payload is executed in the context of the victim's session, potentially leading to execution of arbitrary JavaScript code.

Vulnerability name

MDaemon Email Server Cross-Site Scripting (XSS) Vulnerability

Product

MDaemon Email Server

An XSS issue was discovered in MDaemon Email Server before version 24.5.1c. An attacker can send an HTML e-mail message with JavaScript in an img tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window.

Vulnerability name

ZKTeco BioTime Path Traversal Vulnerability

Product

ZKTeco BioTime

A path traversal vulnerability in the iclock API of ZKTeco BioTime v8.5.5 allows unauthenticated attackers to read arbitrary files via supplying a crafted payload.

Vulnerability name

Google Chromium Loader Insufficient Policy Enforcement Vulnerability

Product

Google Chromium

Insufficient policy enforcement in Loader in Google Chrome prior to 136.0.7103.113 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High)

Vulnerability name

SAP NetWeaver Deserialization Vulnerability

Product

SAP NetWeaver

SAP NetWeaver Visual Composer Metadata Uploader is vulnerable when a privileged user can upload untrusted or malicious content which, when deserialized, could potentially lead to a compromise of confidentiality, integrity, and availability of the host system.

Vulnerability name

DrayTek Vigor Routers OS Command Injection Vulnerability

Product

DrayTek Vigor Routers

A vulnerability, which was classified as critical, was found in DrayTek Vigor2960 and Vigor300B 1.5.1.4. Affected is an unknown function of the file /cgi-bin/mainfunction.cgi/apmcfgupload of the component Web Management Interface. The manipulation of the argument session leads to os command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.5.1.5 is able to address this issue. It is recommended to upgrade the affected component.

Vulnerability name

Fortinet Multiple Products Stack-Based Buffer Overflow Vulnerability

Product

Fortinet Multiple Products

A stack-based buffer overflow vulnerability [CWE-121] in Fortinet FortiVoice versions 7.2.0, 7.0.0 through 7.0.6, 6.4.0 through 6.4.10, FortiRecorder versions 7.2.0 through 7.2.3, 7.0.0 through 7.0.5, 6.4.0 through 6.4.5, FortiMail versions 7.6.0 through 7.6.2, 7.4.0 through 7.4.4, 7.2.0 through 7.2.7, 7.0.0 through 7.0.8, FortiNDR versions 7.6.0, 7.4.0 through 7.4.7, 7.2.0 through 7.2.4, 7.0.0 through 7.0.6, FortiCamera versions 2.1.0 through 2.1.3, 2.0 all versions, 1.1 all versions, allows a remote unauthenticated attacker to execute arbitrary code or commands via sending HTTP requests with specially crafted hash cookie.

Vulnerability name

Microsoft Windows Common Log File System (CLFS) Driver Heap-Based Buffer Overflow Vulnerability

Product

Microsoft Windows

Improper input validation in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Vulnerability name

Microsoft Windows Common Log File System (CLFS) Driver Use-After-Free Vulnerability

Product

Microsoft Windows

Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Vulnerability name

Microsoft Windows DWM Core Library Use-After-Free Vulnerability

Product

Microsoft Windows

Use after free in Windows DWM allows an authorized attacker to elevate privileges locally.

Vulnerability name

Microsoft Windows Scripting Engine Type Confusion Vulnerability

Product

Microsoft Windows

Access of resource using incompatible type ('type confusion') in Microsoft Scripting Engine allows an unauthorized attacker to execute code over a network.

Vulnerability name

Microsoft Windows Ancillary Function Driver for WinSock Use-After-Free Vulnerability

Product

Microsoft Windows

Use after free in Windows Ancillary Function Driver for WinSock allows an authorized attacker to elevate privileges locally.

Vulnerability name

TeleMessage TM SGNL Hidden Functionality Vulnerability

Product

TeleMessage TM SGNL

The TeleMessage archiving backend through 2025-05-05 holds cleartext copies of messages from TM SGNL (aka Archive Signal) app users, which is different functionality than described in the TeleMessage "End-to-End encryption from the mobile phone through to the corporate archive" documentation, as exploited in the wild in May 2025.

Vulnerability name

GeoVision Devices OS Command Injection Vulnerability

Product

GeoVision Multiple Devices

Certain EOL GeoVision devices fail to properly filter user input for the specific functionality. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device.

Vulnerability name

GeoVision Devices OS Command Injection Vulnerability

Product

GeoVision Multiple Devices

Certain EOL GeoVision devices have an OS Command Injection vulnerability. Unauthenticated remote attackers can exploit this vulnerability to inject and execute arbitrary system commands on the device. Moreover, this vulnerability has already been exploited by attackers, and we have received related reports.

Vulnerability name

FreeType Out-of-Bounds Write Vulnerability

Product

FreeType FreeType

An out of bounds write exists in FreeType versions 2.13.0 and below (newer versions of FreeType are not vulnerable) when attempting to parse font subglyph structures related to TrueType GX and variable font files. The vulnerable code assigns a signed short value to an unsigned long and then adds a static value causing it to wrap around and allocate too small of a heap buffer. The code then writes up to 6 signed long integers out of bounds relative to this buffer. This may result in arbitrary code execution. This vulnerability may have been exploited in the wild.

Vulnerability name

Langflow Missing Authentication Vulnerability

Product

Langflow Langflow

Langflow versions prior to 1.3.0 are susceptible to code injection in the /api/v1/validate/code endpoint. A remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code.

Vulnerability name

Commvault Command Center Path Traversal Vulnerability

Product

Commvault Command Center

The Commvault Command Center Innovation Release allows an unauthenticated actor to upload ZIP files that represent install packages that, when expanded by the target server, are vulnerable to path traversal vulnerability that can result in Remote Code Execution via malicious JSP. This issue affects Command Center Innovation Release: 11.38.0 to 11.38.20. The vulnerability is fixed in 11.38.20 with SP38-CU20-433 and SP38-CU20-436 and also fixed in 11.38.25 with SP38-CU25-434 and SP38-CU25-438.

Vulnerability name

Yiiframework Yii Improper Protection of Alternate Path Vulnerability

Product

Yiiframework Yii

Yii 2 before 2.0.52 mishandles the attaching of behavior that is defined by an __class array key, a CVE-2024-4990 regression, as exploited in the wild in February through April 2025.

Vulnerability name

Apache HTTP Server Improper Escaping of Output Vulnerability

Product

Apache HTTP Server

Improper escaping of output in mod_rewrite in Apache HTTP Server 2.4.59 and earlier allows an attacker to map URLs to filesystem locations that are permitted to be served by the server but are not intentionally/directly reachable by any URL, resulting in code execution or source code disclosure. Substitutions in server context that use a backreferences or variables as the first segment of the substitution are affected.  Some unsafe RewiteRules will be broken by this change and the rewrite flag "UnsafePrefixStat" can be used to opt back in once ensuring the substitution is appropriately constrained.

Vulnerability name

SonicWall SMA100 Appliances OS Command Injection Vulnerability

Product

SonicWall SMA100 Appliances

Improper neutralization of special elements in the SMA100 SSL-VPN management interface allows a remote authenticated attacker with administrative privilege to inject arbitrary commands as a 'nobody' user, potentially leading to OS Command Injection Vulnerability.

Vulnerability name

SAP NetWeaver Unrestricted File Upload Vulnerability

Product

SAP NetWeaver

SAP NetWeaver Visual Composer Metadata Uploader is not protected with a proper authorization, allowing unauthenticated agent to upload potentially malicious executable binaries that could severely harm the host system. This could significantly affect the confidentiality, integrity, and availability of the targeted system.

This vulnerability allows an attacker to modify data on a page rendered by React Router by submitting a malicious `X-React-Router-Prerender-Data` header. If caching is in use on this application, this can then be used to poison the cache, causing the modified data to be shown to other users. There is also potential to then use this for cross-site scripting, although, this would depend on how the data is processed by the client, and will not be the case for all applications. In order for this application to be vulnerable, React Router must be used in Framework mode.)

React Router is a router for React. In versions on the 7.0 branch prior to version 7.5.2, it's possible to modify pre-rendered data by adding a header to the request. This allows to completely spoof its contents and modify all the values ​​of the data object passed to the HTML. This issue has been patched in version 7.5.2.

Vulnerability name

Qualitia Active! Mail Stack-Based Buffer Overflow Vulnerability

Product

Qualitia Active! Mail

Active! mail 6 BuildInfo: 6.60.05008561 and earlier contains a stack-based buffer overflow vulnerability. Receiving a specially crafted request created and sent by a remote unauthenticated attacker may lead to arbitrary code execution and/or a denial-of-service (DoS) condition.

Vulnerability name

Commvault Web Server Unspecified Vulnerability

Product

Commvault Web Server

Commvault Web Server has an unspecified vulnerability that can be exploited by a remote, authenticated attacker. According to the Commvault advisory: "Webservers can be compromised through bad actors creating and executing webshells." Fixed in version 11.36.46, 11.32.89, 11.28.141, and 11.20.217 for Windows and Linux platforms. This vulnerability was added to the CISA Known Exploited Vulnerabilities (KEV) Catalog on 2025-04-28.

Vulnerability name

Broadcom Brocade Fabric OS Code Injection Vulnerability

Product

Broadcom Brocade Fabric OS

Brocade Fabric OS versions starting with 9.1.0 have root access removed, however, a local user with admin privilege can potentially execute arbitrary code with full root privileges on Fabric OS versions 9.1.0 through 9.1.1d6.

Vulnerability name

Apple Multiple Products Arbitrary Read and Write Vulnerability

Product

Apple Multiple Products

This issue was addressed by removing the vulnerable code. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. An attacker with arbitrary read and write capability may be able to bypass Pointer Authentication. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Vulnerability name

Apple Multiple Products Memory Corruption Vulnerability

Product

Apple Multiple Products

A memory corruption issue was addressed with improved bounds checking. This issue is fixed in tvOS 18.4.1, visionOS 2.4.1, iOS iOS 18.4.1 and iPadOS 18.4.1, macOS Sequoia 15.4.1. Processing an audio stream in a maliciously crafted media file may result in code execution. Apple is aware of a report that this issue may have been exploited in an extremely sophisticated attack against specific targeted individuals on iOS.

Vulnerability name

Microsoft Windows NTLM Hash Disclosure Spoofing Vulnerability

Product

Microsoft Windows

External control of file name or path in Windows NTLM allows an unauthorized attacker to perform spoofing over a network.

Vulnerability name

SonicWall SMA100 Appliances OS Command Injection Vulnerability

Product

SonicWall SMA100 Appliances

Improper neutralization of special elements in the SMA100 management interface allows a remote authenticated attacker to inject arbitrary commands as a 'nobody' user which potentially leads to DoS.

Vulnerability name

Linux Kernel Out-of-Bounds Access Vulnerability

Product

Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix potential out-of-bound accesses for Extigy and Mbox devices A bogus device can provide a bNumConfigurations value that exceeds the initial value used in usb_get_configuration for allocating dev->config. This can lead to out-of-bounds accesses later, e.g. in usb_destroy_configuration.

Vulnerability name

Linux Kernel Out-of-Bounds Read Vulnerability

Product

Linux Kernel

In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix out of bounds reads when finding clock sources The current USB-audio driver code doesn't check bLength of each descriptor at traversing for clock descriptors. That is, when a device provides a bogus descriptor with a shorter bLength, the driver might hit out-of-bounds reads. For addressing it, this patch adds sanity checks to the validator functions for the clock descriptor traversal. When the descriptor length is shorter than expected, it's skipped in the loop. For the clock source and clock multiplier descriptors, we can just check bLength against the sizeof() of each descriptor type. OTOH, the clock selector descriptor of UAC2 and UAC3 has an array of bNrInPins elements and two more fields at its tail, hence those have to be checked in addition to the sizeof() check.

Vulnerability name

Gladinet CentreStack Use of Hard-coded Cryptographic Key Vulnerability

Product

Gladinet CentreStack

Gladinet CentreStack through 16.1.10296.56315 (fixed in 16.4.10315.56368) has a deserialization vulnerability due to the CentreStack portal's hardcoded machineKey use, as exploited in the wild in March 2025. This enables threat actors (who know the machineKey) to serialize a payload for server-side deserialization to achieve remote code execution. NOTE: a CentreStack admin can manually delete the machineKey defined in portal\web.config.

Vulnerability name

CrushFTP Authentication Bypass Vulnerability

Product

CrushFTP CrushFTP

CrushFTP 10 before 10.8.4 and 11 before 11.3.1 allows authentication bypass and takeover of the crushadmin account (unless a DMZ proxy instance is used), as exploited in the wild in March and April 2025, aka "Unauthenticated HTTP(S) port access." A race condition exists in the AWS4-HMAC (compatible with S3) authorization method of the HTTP component of the FTP server. The server first verifies the existence of the user by performing a call to login_user_pass() with no password requirement. This will authenticate the session through the HMAC verification process and up until the server checks for user verification once more. The vulnerability can be further stabilized, eliminating the need for successfully triggering a race condition, by sending a mangled AWS4-HMAC header. By providing only the username and a following slash (/), the server will successfully find a username, which triggers the successful anypass authentication process, but the server will fail to find the expected SignedHeaders entry, resulting in an index-out-of-bounds error that stops the code from reaching the session cleanup. Together, these issues make it trivial to authenticate as any known or guessable user (e.g., crushadmin), and can lead to a full compromise of the system by obtaining an administrative account.

Vulnerability name

Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

Product

Ivanti Connect Secure, Policy Secure and ZTA Gateways

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Vulnerability name

Ivanti Connect Secure, Policy Secure and ZTA Gateways Stack-Based Buffer Overflow Vulnerability

Product

Ivanti Connect Secure, Policy Secure and ZTA Gateways

A stack-based buffer overflow in Ivanti Connect Secure before version 22.7R2.6, Ivanti Policy Secure before version 22.7R1.4, and Ivanti ZTA Gateways before version 22.8R2.2 allows a remote unauthenticated attacker to achieve remote code execution.

Vulnerability name

Apache Tomcat Path Equivalence Vulnerability

Product

Apache Tomcat

Path Equivalence: 'file.Name' (Internal Dot) leading to Remote Code Execution and/or Information disclosure and/or malicious content added to uploaded files via write enabled Default Servlet in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.2, from 10.1.0-M1 through 10.1.34, from 9.0.0.M1 through 9.0.98. If all of the following were true, a malicious user was able to view security sensitive files and/or inject content into those files: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - a target URL for security sensitive uploads that was a sub-directory of a target URL for public uploads - attacker knowledge of the names of security sensitive files being uploaded - the security sensitive files also being uploaded via partial PUT If all of the following were true, a malicious user was able to perform remote code execution: - writes enabled for the default servlet (disabled by default) - support for partial PUT (enabled by default) - application was using Tomcat's file based session persistence with the default storage location - application included a library that may be leveraged in a deserialization attack Users are recommended to upgrade to version 11.0.3, 10.1.35 or 9.0.99, which fixes the issue.

Vulnerability name

Cisco Smart Licensing Utility Static Credential Vulnerability

Product

Cisco Smart Licensing Utility

A vulnerability in Cisco Smart Licensing Utility (CSLU) could allow an unauthenticated, remote attacker to log into an affected system by using a static administrative credential. This vulnerability is due to an undocumented static user credential for an administrative account. An attacker could exploit this vulnerability by using the static credentials to login to the affected system. A successful exploit could allow the attacker to login to the affected system with administrative rights over the CSLU application API.

Vulnerability name

Google Chromium Mojo Sandbox Escape Vulnerability

Product

Google Chromium Mojo

Incorrect handle provided in unspecified circumstances in Mojo in Google Chrome on Windows prior to 134.0.6998.177 allowed a remote attacker to perform a sandbox escape via a malicious file. (Chromium security severity: High)

Vulnerability name

Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability

Product

Sitecore CMS and Experience Platform (XP)

Deserialization of Untrusted Data in the anti CSRF module in Sitecore through 9.1 allows an authenticated attacker to execute arbitrary code by sending a serialized .NET object in an HTTP POST parameter.

Vulnerability name

Sitecore CMS and Experience Platform (XP) Deserialization Vulnerability

Product

Sitecore CMS and Experience Platform (XP)

Deserialization of Untrusted Data in the Sitecore.Security.AntiCSRF (aka anti CSRF) module in Sitecore CMS 7.0 to 7.2 and Sitecore XP 7.5 to 8.2 allows an unauthenticated attacker to execute arbitrary code by sending a serialized .NET object in the HTTP POST parameter __CSRFTOKEN.

This authentication bypass vulnerability in Next.js allows an attacker to bypass middleware validation steps such as checking the user is authorized to access a resource. The exploit is simple to use and could potentially be exploited en-masse, though some manual effort is likely to be required to identify routes that are not accessible without authentication. The [advisory](https://nextjs.org/blog/cve-2025-29927) states that deployments using `next start` and `output: 'standalone'` should be updated as a priority, and lists the affected versions. Next.js is a full stack framework, and application which are only using front-end elements of the framework will not be vulnerable. Additionally, popular WAFs like Cloudflare [added detection rules](https://developers.cloudflare.com/changelog/2025-03-22-next-js-vulnerability-waf/) for this exploit already, so there is also reduced risk for applications which are deployed behind a WAF with effective rules. However, WAFs should not be relied upon to protect against this weakness, as further research could reveal bypasses, or alternative routes to exploit the weakness. )

Next.js is a React framework for building full-stack web applications. Starting in version 1.11.4 and prior to versions 12.3.5, 13.5.9, 14.2.25, and 15.2.3, it is possible to bypass authorization checks within a Next.js application, if the authorization check occurs in middleware. If patching to a safe version is infeasible, it is recommend that you prevent external user requests which contain the x-middleware-subrequest header from reaching your Next.js application. This vulnerability is fixed in 12.3.5, 13.5.9, 14.2.25, and 15.2.3.

Vulnerability name

reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability

Product

reviewdog action-setup GitHub Action

reviewdog/action-setup is a GitHub action that installs reviewdog. reviewdog/action-setup@v1 was compromised March 11, 2025, between 18:42 and 20:31 UTC, with malicious code added that dumps exposed secrets to Github Actions Workflow Logs. Other reviewdog actions that use `reviewdog/action-setup@v1` that would also be compromised, regardless of version or pinning method, are reviewdog/action-shellcheck, reviewdog/action-composite-template, reviewdog/action-staticcheck, reviewdog/action-ast-grep, and reviewdog/action-typos.

Vulnerability name

SAP NetWeaver Directory Traversal Vulnerability

Product

SAP NetWeaver

Directory traversal vulnerability in scheduler/ui/js/ffffffffbca41eb4/UIUtilJavaScriptJS in SAP NetWeaver Application Server Java 7.5 allows remote attackers to read arbitrary files via a .. (dot dot) in the query string, as exploited in the wild in August 2017, aka SAP Security Note 2486657.

Vulnerability name

Edimax IC-7100 IP Camera OS Command Injection Vulnerability

Product

Edimax IC-7100 IP Camera

Edimax IC-7100 does not properly neutralize requests. An attacker can create specially crafted requests to achieve remote code execution on the device