5.1
CVE-2025-58758 - TinyEnv: Missing .env file not required β may cause unexpected behavior
TinyEnv is an environment variable loader for PHP applications. In versions 1.0.1, 1.0.2, 1.0.9, and 1.0.10, TinyEnv did not require the `.env` file to exist when loading environment variables. This could lead to unexpected behavior where the application silently ignores missing configuration, poteβ¦
5.3
CVE-2025-58442 - Saleor has user enumeration vulnerability due to different error messages
Saleor is an e-commerce platform. Starting in version 3.21.0 and prior to version 3.21.16, requesting certain fields in the response of `accountRegister` may result in errors that could unintentionally reveal whether a user with the provided email already exists in Saleor. Version 3.21.16 fixes theβ¦
4.1
CVE-2025-58435 - Open OnDemand didn't rotate password for VNC batch_connect
Open OnDemand is an open-source HPC portal. Prior to versions 3.1.15 and 4.0.7, noVNC interactive applications did not correctly rotate the password when TurboVNC was higher than version 3.1.2. The likelihood of exploitation is low as a user would need to share their link to an active desktop sessiβ¦
4.8
CVE-2025-34172 - Netgate pfSense CE HAProxy Package 0.63_10 Reflected Cross-Site Scripting
In pfSense CEΒ /usr/local/www/haproxy/haproxy_stats.php, the value of the showsticktablecontent parameter is displayed after being read from HTTP GET requests. This can enable reflected cross-site scripting when the victim is authenticated.
8.6
CVE-2025-58430 - listmonk Vulnerable to CSRF to XSS Chain That Can Lead to Admin Account Takeover
listmonk is a standalone, self-hosted, newsletter and mailing list manager. In versions up to and including 1.1.0, every http request in addition to the session cookie `session` there included `nonce`. The value is not checked and validated by the backend, removing `nonce` allows the requests to beβ¦
7.5
CVE-2025-58180 - OctoPrint is Vulnerable to RCE Attacks via Unsanitized Filename in File Upload
OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.11.2 contain a vulnerability that allows an authenticated attacker to upload a file under a specially crafted filename that will allow arbitrary command execution if said filename beβ¦
4.3
CVE-2025-36011 - IBM Jazz for Service Management information disclosure
IBM Jazz for Service Management 1.1.3.0 through 1.1.3.24 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to tβ¦
6.4
CVE-2025-36125 - IBM Hardware Management Console - Power Systems cross-site scripting
IBM Hardware Management Console - Power 10.3.1050.0 and 11.1.1110.0 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure wβ¦
7.1
CVE-2025-58063 - CoreDNS: DNS Cache Pinning via etcd Lease ID Confusion
CoreDNS is a DNS server that chains plugins. Starting in version 1.2.0 and prior to version 1.12.4, the CoreDNS etcd plugin contains a TTL confusion vulnerability where lease IDs are incorrectly used as TTL values, enabling DNS cache pinning attacks. This effectively creates a DoS condition for DNSβ¦
6.8
CVE-2025-47415 - RECWAVE Filepath Traversal
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in CRESTRON TOUCHSCREENS x70 allows Relative Path Traversal.This issue affects TOUCHSCREENS x70: from 3.000.0110.001 before 3.001.0031.001. Confirmed Affected Hardware:β―TSW-760, TSW-1060 Confβ¦