6.1
CVE-2025-13084 - Opto 22 groov View Exposure of Sensitive Information Through Metadata
The users endpoint in the groov View API returns a list of all users and associated metadata including their API keys. This endpoint requires an Editor role to access and will display API keys for all users, including Administrators.
3.7
CVE-2025-2486 - UEFI Shell accessible in AAVMF with Secure Boot enabled on Ubuntu
The Ubuntu edk2 UEFI firmware packages accidentally allowed the UEFI Shell to be accessed in Secure Boot environments, possibly allowing bypass of Secure Boot constraints. Versions 2024.05-2ubuntu0.3 and 2024.02-2ubuntu0.3 disable the Shell. Some previous versions inserted a secure-boot-based decisβ¦
9.8
CVE-2025-62354 -
Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.
6.1
CVE-2025-9163 - Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload
The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes iβ¦
6.3
CVE-2025-9191 - Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search
The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No knβ¦
5.5
CVE-2025-13674 - Access of Uninitialized Pointer in Wireshark
BPv7 dissector crash in Wireshark 4.6.0 allows denial of service
9.8
CVE-2025-59390 - Apache Druid: Kerberos authenticaton chooses a cryptographically unsecure secret if not configured β¦
Apache Druidβs Kerberos authenticator uses a weak fallback secret when the `druid.auth.authenticator.kerberos.cookieSignatureSecret` configuration is not explicitly set. In this case, the secret is generated using `ThreadLocalRandom`, which is not a crypto-graphically secure random number generatoβ¦
5.4
CVE-2025-62728 - Apache Hive: SQL injection vulnerability when processing delete column statistics requests via the β¦
SQL injection vulnerability in Hive Metastore Server (HMS) when processing delete column statistics requests via the Thrift APIs. The vulnerability is only exploitable by trusted/authorized users/applications that are allowed to call directly the Thrift APIs. In most real-world deployments, HMS is β¦
7.4
CVE-2025-13735 - Out-of-bounds Read in nr flc
Out-of-bounds Read vulnerability in ASR1903γASR3901 in ASR Lapwing_Linux on Linux (nr_fw modules). This vulnerability is associated with program files Code/nr_fw/DLP/src/NrCgi.C. This issue affects Lapwing_Linux: before 2025/11/26.
8.6
CVE-2025-12061 - Tax Service Electronic HDM < 1.2.1 - Unauthenticated Arbitrary SQL Execution
The TAX SERVICE Electronic HDM WordPress plugin before 1.2.1 does not authorization and CSRF checks in an AJAX action, allowing unauthenticated users to import and execute arbitrary SQL statements