6.1
CVE-2025-14104 - Util-linux: util-linux: heap buffer overread in setpwnam() when processing 256-byte usernames
A flaw was found in util-linux. This vulnerability allows a heap buffer overread when processing 256-byte usernames, specifically within the `setpwnam()` function, affecting SUID (Set User ID) login-utils utilities writing to the password database.
8.7
CVE-2025-13373 - Advantech iView SQL Injection
Advantech iView versions 5.7.05.7057 and prior do not properly sanitize SNMP v1 trap (Port 162) requests, which could allow an attacker to inject SQL commands.
7.5
CVE-2025-66564 - Sigstore Timestamp Authority allocates excessive memory during request parsing
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type heaโฆ
7.1
CVE-2025-66563 - Monkeytype vulnerable to stored XSS in approve quotes page
Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straiโฆ
5.3
CVE-2025-14051 - youlaitech youlai-mall addresses deleteAddress improper control of dynamically-identified variables
A flaw has been found in youlaitech youlai-mall 1.0.0/2.0.0. Affected is the function getById/updateAddress/deleteAddress of the file /mall-ums/app-api/v1/addresses/. Executing manipulation can lead to improper control of dynamically-identified variables. The attack can be executed remotely. The exโฆ
7.3
CVE-2025-66561 - SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)
SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This โฆ
8
CVE-2025-66559 - Taiko Alethia Pacaya inbox verification pointer corruption
Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever tranโฆ
7.5
CVE-2025-1547 - WatchGuard Firebox Authenticated Stack Overflow in Certificate Request Command
A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This issue affects Fireware OS: from 12.0 through 12.5.12+701324, from 12.6 throughโฆ
8.9
CVE-2025-66509 - LaraDashboard: 1-Click Pre-Auth RCE via Host Header + Module Installation Chain
LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administratorโs reset token to an attacker-controlled server. This can be combined with the module installation process toโฆ
7.5
CVE-2025-66506 - Fulcio allocates excessive memory during token parsing
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicioโฆ