8.8
CVE-2025-67729 - lmdeploy vulnerable to Arbitrary Code Execution via Insecure Deserialization in torch.load()
LMDeploy is a toolkit for compressing, deploying, and serving LLMs. Prior to version 0.11.1, an insecure deserialization vulnerability exists in lmdeploy where torch.load() is called without the weights_only=True parameter when loading model checkpoint files. This allows an attacker to execute arbiโฆ
7.1
CVE-2025-68697 - Self-hosted n8n has Legacy Code node that enables arbitrary file read/write
n8n is an open source workflow automation platform. Prior to version 2.0.0, in self-hosted n8n instances where the Code node runs in legacy (non-task-runner) JavaScript execution mode, authenticated users with workflow editing access can invoke internal helper functions from within the Code node. Tโฆ
9.9
CVE-2025-68668 - n8n Vulnerable to Arbitrary Command Execution in Pyodide based Python Code Node
n8n is an open source workflow automation platform. From version 1.0.0 to before 2.0.0, a sandbox bypass vulnerability exists in the Python Code Node that uses Pyodide. An authenticated user with permission to create or modify workflows can exploit this vulnerability to execute arbitrary commands oโฆ
7.3
CVE-2025-61914 - n8n's Possible Stored XSS in "Respond to Webhook" Node May Execute Outside iframe Sandbox
n8n is an open source workflow automation platform. Prior to version 1.114.0, a stored Cross-Site Scripting (XSS) vulnerability may occur in n8n when using the โRespond to Webhookโ node. When this node responds with HTML content containing executable scripts, the payload may execute directly in theโฆ
9.3
CVE-2025-13158 - apidoc-core - prototype pollution in api_group.js, api_param_title.js, api_use.js, and api_permissiโฆ
Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the โdefineโ property processed by the application, potentially leading to denial of service or unintenโฆ
7.7
CVE-2025-64645 - Multiple Vulnerabilities in IBM Concert Software.
IBM Concert 1.0.0 through 2.1.0 could allow a local user to escalate their privileges due to a race condition of a symbolic link.
5.4
CVE-2025-36230 - XSS in IBM Aspera Faspex
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 is vulnerable to HTML injection. A remote attacker could inject malicious HTML code, which when viewed, would be executed in the victim's Web browser within the security context of the hosting site.
3.1
CVE-2025-36229 - Exposure of Sensitive System Information to an Unauthorized Control Sphere in IBM Aspera Faspex
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 could allow authenticated users to enumerate sensitive information of data due by enumerating package identifiers.
3.8
CVE-2025-36228 - Incorrect Execution-Assigned Permissions in IBM Aspera Faspex
IBM Aspera Faspex 5 5.0.0 through 5.0.14.1 may allow inconsistent permissions between the user interface and backend API allowed users to access features that appeared disabled, potentially leading to misuse.
6.7
CVE-2025-36192 - Missing Authorization with the DS8900F and DS8A00 Hardware Management Console
IBM DS8A00( R10.1) 10.10.106.0 and IBM DS8A00 ( R10.0) 10.1.3.010.2.45.0 and IBM DS8900F ( R9.4) 89.40.83.089.42.18.089.44.5.0 IBM System Storage DS8000 could allow a local user with authorized CCW update permissions to delete or corrupt backups due to missing authorization in IBM Safeguarded Copy โฆ