4.3
CVE-2025-64749 - Directus Vulnerable to Information Leakage in Existing Collections
Directus is a real-time API and App dashboard for managing SQL database content. An observable difference in error messaging was found in the Directus REST API in versions of Directus prior to version 11.13.0. The `/items/{collection}` API returns different error messages for two cases: when a userβ¦
6.5
CVE-2025-64748 - Directus's conceal fields are searchable if read permissions enabled
Directus is a real-time API and App dashboard for managing SQL database content. A vulnerability in versions prior to 11.13.0 allows authenticated users to search concealed/sensitive fields when they have read permissions. While actual values remain masked (`****`), successful matches can be detectβ¦
7.5
CVE-2025-47913 - Potential denial of service in golang.org/x/crypto/ssh/agent
SSH clients receiving SSH_AGENT_SUCCESS when expecting a typed response will panic and cause early termination of the client process.
5.5
CVE-2025-64747 - Directus Vulnerable to Stored Cross-site Scripting
Directus is a real-time API and App dashboard for managing SQL database content. A stored cross-site scripting (XSS) vulnerability exists in versions prior to 11.13.0 that allows users with `upload files` and `edit item` permissions to inject malicious JavaScript through the Block Editor interface.β¦
4.6
CVE-2025-64746 - Directus has Improper Permission Handling on Deleted Fields
Directus is a real-time API and App dashboard for managing SQL database content. Prior to version 11.13.0, Directus does not properly clean up field-level permissions when a field is deleted. When a field is removed from a collection, its reference in the permissions table remains intact. This stalβ¦
3.5
CVE-2025-64744 - OpenObserve Vulnerable to HTML Injection in Organization Invitation Emails
OpenObserve is a cloud-native observability platform. In versions up to and including 0.16.1, when creating or renaming an organization with HTML in the name, the markup is rendered inside the invitation email. This indicates that user-controlled input is inserted into the email template without prβ¦
2.7
CVE-2025-64745 - Astro development server error page vulnerable to reflected Cross-site Scripting
Astro is a web framework. Starting in version 5.2.0 and prior to version 5.15.6, a Reflected Cross-Site Scripting (XSS) vulnerability exists in Astro's development server error pages when the `trailingSlash` configuration option is used. An attacker can inject arbitrary JavaScript code that executeβ¦
6.6
CVE-2025-4619 - PAN-OS: Firewall Denial of Service (DoS) Using Specially Crafted Packets
A denial-of-service (DoS) vulnerability in Palo Alto Networks PAN-OS software enables an unauthenticated attacker to reboot a firewall by sending a specially crafted packet through the dataplane. Repeated attempts to initiate a reboot causes the firewall to enter maintenance mode. This issue is apβ¦
7.3
CVE-2025-64726 - External Control of System or Configuration Setting and Uncontrolled Search Path Element in sfw
Socket Firewall is an HTTP/HTTPS proxy server that intercepts package manager requests and enforces security policies by blocking dangerous packages. Socket Firewall binary versions (separate from installers) prior to 0.15.5 are vulnerable to arbitrary code execution when run in untrusted project dβ¦
8.1
CVE-2025-59840 - Vega Cross-Site Scripting (XSS) via expressions abusing toString calls in environments using the VEβ¦
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. In Vega prior to version 6.2.0, applications meeting 2 conditions are at risk of arbitrary JavaScript code execution, even if "safe mode" expressionInterpreter is used. They arβ¦