Total
309423 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2024-41147 | 1 Mackron | 1 Miniaudio | 2025-08-26 | N/A | 7.7 HIGH |
| An out-of-bounds write vulnerability exists in the ma_dr_flac__decode_samples__lpc functionality of Miniaudio miniaudio v0.11.21. A specially crafted .flac file can lead to memory corruption. An attacker can provide a malicious file to trigger this vulnerability. | |||||
| CVE-2025-27515 | 1 Laravel | 1 Framework | 2025-08-26 | N/A | 9.8 CRITICAL |
| Laravel is a web application framework. When using wildcard validation to validate a given file or image field (`files.*`), a user-crafted malicious request could potentially bypass the validation rules. This vulnerability is fixed in 11.44.1 and 12.1.1. | |||||
| CVE-2022-1804 | 1 Canonical | 2 Accountsservice, Ubuntu Linux | 2025-08-26 | N/A | 5.5 MEDIUM |
| accountsservice no longer drops permissions when writting .pam_environment | |||||
| CVE-2023-0881 | 1 Canonical | 1 Linux-bluefield | 2025-08-26 | N/A | 7.5 HIGH |
| Running DDoS on tcp port 22 will trigger a kernel crash. This issue is introduced by the backport of a commit regarding nft_lookup without the subsequent fixes that were introduced after this commit. The resolution of this CVE introduces those commits to the linux-bluefield package. | |||||
| CVE-2025-31123 | 1 Zitadel | 1 Zitadel | 2025-08-26 | N/A | 8.7 HIGH |
| Zitadel is open-source identity infrastructure software. A vulnerability existed where expired keys can be used to retrieve tokens. Specifically, ZITADEL fails to properly check the expiration date of the JWT key when used for Authorization Grants. This allows an attacker with an expired key to obtain valid access tokens. This vulnerability does not affect the use of JWT Profile for OAuth 2.0 Client Authentication on the Token and Introspection endpoints, which correctly reject expired keys. This vulnerability is fixed in 2.71.6, 2.70.8, 2.69.9, 2.68.9, 2.67.13, 2.66.16, 2.65.7, 2.64.6, and 2.63.9. | |||||
| CVE-2024-55948 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 8.2 HIGH |
| Discourse is an open source platform for community discussion. In affected versions an attacker can make craft an XHR request to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | |||||
| CVE-2025-36727 | 1 Simple-help | 1 Simplehelp | 2025-08-26 | N/A | 8.3 HIGH |
| Inclusion of Functionality from Untrusted Control Sphere vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.12. | |||||
| CVE-2024-47773 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 8.2 HIGH |
| Discourse is an open source platform for community discussion. An attacker can make several XHR requests until the cache is poisoned with a response without any preloaded data. This issue only affects anonymous visitors of the site. This problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable anonymous cache by setting the `DISCOURSE_DISABLE_ANON_CACHE` environment variable to a non-empty value. | |||||
| CVE-2025-36728 | 1 Simple-help | 1 Simplehelp | 2025-08-26 | N/A | 6.3 MEDIUM |
| Cross-Site Request Forgery (CSRF) vulnerability in Simplehelp.This issue affects Simplehelp: before 5.5.11. | |||||
| CVE-2024-35227 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 7.5 HIGH |
| Discourse is an open-source discussion platform. Prior to version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch, Oneboxing against a carefully crafted malicious URL can reduce the availability of a Discourse instance. The problem has been patched in version 3.2.3 on the `stable` branch and version 3.3.0.beta3 on the `tests-passed` branch. There are no known workarounds available for this vulnerability. | |||||
| CVE-2025-54380 | 1 Apereo | 1 Opencast | 2025-08-26 | N/A | 6.5 MEDIUM |
| Opencast is a free, open-source platform to support the management of educational audio and video content. Prior to version 17.6, Opencast would incorrectly send the hashed global system account credentials (ie: org.opencastproject.security.digest.user and org.opencastproject.security.digest.pass) when attempting to fetch mediapackage elements included in a mediapackage XML file. A previous CVE prevented many cases where the credentials were inappropriately sent, but not all. Anyone with ingest permissions could cause Opencast to send its hashed global system account credentials to a url of their choosing. This issue is fixed in Opencast 17.6. | |||||
| CVE-2024-27100 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 6.5 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions the endpoints for suspending users, silencing users and exporting CSV files weren't enforcing limits on the sizes of the parameters that they accept. This could lead to excessive resource consumption which could render an instance inoperable. A site could be disrupted by either a malicious moderator on the same site or a malicious staff member on another site in the same multisite cluster. This issue is patched in the latest stable, beta and tests-passed versions of Discourse. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-27085 | 1 Discourse | 1 Discourse | 2025-08-26 | N/A | 6.5 MEDIUM |
| Discourse is an open source platform for community discussion. In affected versions users that are allowed to invite others can inject arbitrarily large data in parameters used in the invite route. The problem has been patched in the latest version of Discourse. Users are advised to upgrade. Users unable to upgrade should disable invites or restrict access to them using the `invite allowed groups` site setting. | |||||
| CVE-2025-54574 | 1 Squid-cache | 1 Squid | 2025-08-26 | N/A | 9.3 CRITICAL |
| Squid is a caching proxy for the Web. In versions 6.3 and below, Squid is vulnerable to a heap buffer overflow and possible remote code execution attack when processing URN due to incorrect buffer management. This has been fixed in version 6.4. To work around this issue, disable URN access permissions. | |||||
| CVE-2025-54424 | 1 Fit2cloud | 1 1panel | 2025-08-26 | N/A | 8.1 HIGH |
| 1Panel is a web interface and MCP Server that manages websites, files, containers, databases, and LLMs on a Linux server. In versions 2.0.5 and below, the HTTPS protocol used for communication between the Core and Agent endpoints has incomplete certificate verification during certificate validation, leading to unauthorized interface access. Due to the presence of numerous command execution or high-privilege interfaces in 1Panel, this results in Remote Code Execution (RCE). This is fixed in version 2.0.6. The CVE has been translated from Simplified Chinese using GitHub Copilot. | |||||
| CVE-2024-35230 | 1 Osgeo | 1 Geoserver | 2025-08-26 | N/A | 5.3 MEDIUM |
| GeoServer is an open source software server written in Java that allows users to share and edit geospatial data. In affected versions the welcome and about page includes version and revision information about the software in use (including library and components used). This information is sensitive from a security point of view because it allows software used by the server to be easily identified. This issue has been patched in version 2.26.0 and all users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2025-23042 | 1 Gradio Project | 1 Gradio | 2025-08-26 | N/A | 7.5 HIGH |
| Gradio is an open-source Python package that allows quick building of demos and web application for machine learning models, API, or any arbitrary Python function. Gradio's Access Control List (ACL) for file paths can be bypassed by altering the letter case of a blocked file or directory path. This vulnerability arises due to the lack of case normalization in the file path validation logic. On case-insensitive file systems, such as those used by Windows and macOS, this flaw enables attackers to circumvent security restrictions and access sensitive files that should be protected. This issue can lead to unauthorized data access, exposing sensitive information and undermining the integrity of Gradio's security model. Given Gradio's popularity for building web applications, particularly in machine learning and AI, this vulnerability may pose a substantial threat if exploited in production environments. This issue has been addressed in release version 5.6.0. Users are advised to upgrade. There are no known workarounds for this vulnerability. | |||||
| CVE-2024-52797 | 1 Apereo | 1 Opencast | 2025-08-26 | N/A | 6.5 MEDIUM |
| Opencast is free and open source software for automated video capture and distribution. First noticed in Opencast 13 and 14, Opencast's Elasticsearch integration may generate syntactically invalid Elasticsearch queries in relation to previously acceptable search queries. From Opencast version 11.4 and newer, Elasticsearch queries are retried a configurable number of times in the case of error to handle temporary losses of connection to Elasticsearch. These invalid queries would fail, causing the retry mechanism to begin requerying with the same syntactically invalid query immediately, in an infinite loop. This causes a massive increase in log size which can in some cases cause a denial of service due to disk exhaustion. Opencast 13.10 and Opencast 14.3 contain patches which address the base issue, with Opencast 16.7 containing changes which harmonize the search behaviour between the admin UI and external API. Users are strongly recommended to upgrade as soon as possible if running versions prior to 13.10 or 14.3. While the relevant endpoints require (by default) `ROLE_ADMIN` or `ROLE_API_SERIES_VIEW`, the problem queries are otherwise innocuous. This issue could be easily triggered by normal administrative work on an affected Opencast system. Those who run a version newer than 13.10 and 14.3 and see different results when searching in their admin UI vs your external API or LMS, may resolve the issue by upgrading to 16.7. No known workarounds for the vulnerability are available. | |||||
| CVE-2024-24914 | 1 Checkpoint | 9 Clusterxl, Gaia Os, Multi-domain Management and 6 more | 2025-08-26 | N/A | 8.0 HIGH |
| Authenticated Gaia users can inject code or commands by global variables through special HTTP requests. A Security fix that mitigates this vulnerability is available. | |||||
| CVE-2024-39780 | 1 Openrobotics | 1 Robot Operating System | 2025-08-26 | N/A | 7.8 HIGH |
| A YAML deserialization vulnerability was found in the Robot Operating System (ROS) 'dynparam', a command-line tool for getting, setting, and deleting parameters of a dynamically configurable node, affecting ROS distributions Noetic and earlier. The issue is caused by the use of the yaml.load() function in the 'set' and 'get' verbs, and allows for the creation of arbitrary Python objects. Through this flaw, a local or remote user can craft and execute arbitrary Python code. | |||||