8.7
CVE-2025-53880 - susemanager-tftpsync-recv allows arbitrary file creation and deletion due to path traversal
A Path Traversal vulnerability in the tftpsync/add and tftpsync/delete scripts allows a remote attacker on an adjacent network to write or delete files on the filesystem with the privileges of the unprivileged wwwrun user. Although the endpoint is unauthenticated, access is restricted to a list of β¦
0.0
CVE-2025-40094 - usb: gadget: f_acm: Refactor bind path to use __free()
In the Linux kernel, the following vulnerability has been resolved: usb: gadget: f_acm: Refactor bind path to use __free() After an bind/unbind cycle, the acm->notify_req is left stale. If a subsequent bind fails, the unified error label attempts to free this stale request, leading to a NULL poinβ¦
6.5
CVE-2025-54471 - NeuVector is shipping cryptographic material into its binary
NeuVector used a hard-coded cryptographic key embedded in the source code. At compilation time, the key value was replaced with the secret key value and used to encrypt sensitive configurations when NeuVector stores the data.
4.6
CVE-2025-54941 - Apache Airflow: Command injection in "example_dag_decorator"
An example dag `example_dag_decorator` had non-validated parameter that allowed the UI user to redirect the example to a malicious server and execute code on worker. This however required that the example dags are enabled in production (not default) or the example dag code copied to build your own β¦
9.9
CVE-2025-54469 - NeuVector Enforcer is vulnerable to Command Injection and Buffer overflow
A vulnerability was identified in NeuVector, where the enforcer used environment variables CLUSTER_RPC_PORT and CLUSTER_LAN_PORT to generate a command to be executed via popen, without first sanitising their values. The entry process of the enforcer container is the monitor process. When the enfβ¦
8.6
CVE-2025-54470 - NeuVector telemetry sender is vulnerable to MITM and DoS
This vulnerability affects NeuVector deployments only when the Report anonymous cluster data option is enabled. When this option is enabled, NeuVector sends anonymous telemetry data to the telemetry server. In affected versions, NeuVector does not enforce TLS certificate verification when transmβ¦
5.4
CVE-2025-62402 - Apache Airflow: Airflow 3 API: /api/v2/dagReports executes DAG Python in API
API users via `/api/v2/dagReports` could perform Dag code execution in the context of the api-server if the api-server was deployed in the environment where Dag files were available.
4.6
CVE-2025-62503 - Apache Airflow: Privilege boundary bypass in bulk APIs (create action can upsert existing Pools/Conβ¦
User with CREATE and no UPDATE privilege for Pools, Connections, Variables could update existing records via bulk create API with overwrite action.
6.7
CVE-2025-11906 - Privilege escalation via writable configuration files in Progress Flowmon
A vulnerability exists in Progress Flowmon versions prior 12.5.6 where certain system configuration files have incorrect file permissions, allowing a user with access to the default flowmon system user account used for SSH access to potentially escalate privileges to root during service initializatβ¦
5.3
CVE-2025-11881 - AppPresser β Mobile App Framework <= 4.5.0 - Missing Authorization to Unauthenticated Limited Sensiβ¦
The AppPresser β Mobile App Framework plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the 'myappp_verify' function in all versions up to, and including, 4.5.0. This makes it possible for unauthenticated attackers to extract sensitive data incluβ¦