9.3
CVE-2025-13315 - Unauthenticated log access in Twonky Server
Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.
6.8
CVE-2025-65089 - XWiki view file macro: User can view content of office file without view rights on the attachment
XWiki Remote Macros provides XWiki rendering macros that are useful when migrating content from Confluence. Prior to version 1.27.0, a user with no view rights on a page may see the content of an office attachment displayed with the view file macro. This issue has been patched in version 1.27.0.
9.4
CVE-2025-65095 - Lookyloo is vulnerable due to improper user input sanitization
Lookyloo is a web interface that allows users to capture a website page and then display a tree of domains that call each other. Prior to version 1.35.1, there is potential cross-site scripting on index and tree page. This issue has been patched in version 1.35.1.
7.7
CVE-2025-65099 - Claude Code vulnerable to command execution prior to startup trust dialog
Claude Code is an agentic coding tool. Prior to version 1.0.39, when running on a machine with Yarn 3.0 or above, Claude Code could have been tricked to execute code contained in a project via yarn plugins before the user accepted the startup trust dialog. Exploiting this would have required a userβ¦
6.1
CVE-2025-65026 - esm.sh CDN service has JS Template Literal Injection in CSS-to-JavaScript
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, The esm.sh CDN service contains a Template Literal Injection vulnerability (CWE-94) in its CSS-to-JavaScript module conversion feature. When a CSS file is requested with the ?module query parameter, β¦
8.2
CVE-2025-65025 - esm.sh CDN service has arbitrary file write via tarslip
esm.sh is a nobuild content delivery network(CDN) for modern web development. Prior to version 136, the esm.sh CDN service is vulnerable to path traversal during NPM package tarball extraction. An attacker can craft a malicious NPM package containing specially crafted file paths (e.g., package/../.β¦
8.1
CVE-2025-65034 - Rallly Improper Authorization Allows Reopening of Any Finalized Poll via Public pollId
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization vulnerability allows any authenticated user to reopen finalized polls belonging to other users by manipulating the pollId parameter. This can disrupt events managed by other users and comprβ¦
8.1
CVE-2025-65033 - Rallly Broken Authorization: Any User Can Pause or Resume Any Poll via Poll ID Manipulation
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an authorization flaw in the poll management feature allows any authenticated user to pause or resume any poll, regardless of ownership. The system only uses the public pollId to identify polls, and it does not veriβ¦
6.5
CVE-2025-65032 - Rallly Has an IDOR Vulnerability in Participant Rename Function Allows Unauthorized Modification ofβ¦
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to change the display names of other participants in polls without being an admin or the poll owner. By manipulating the particiβ¦
6.5
CVE-2025-65031 - Rallly Improper Authorization in Comment Endpoint Allows User Impersonation
Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an improper authorization flaw in the comment creation endpoint allows authenticated users to impersonate any other user by altering the authorName field in the API request. This enables attackers to post comments uβ¦