5.3
CVE-2025-32385 - EspoCRM allows unrestricted Embedding in Iframe dashlet
EspoCRM is an Open Source Customer Relationship Management software. Prior to 9.0.5, Iframe dashlet allows user to display iframes with arbitrary URLs. As the sandbox attribute is not included in the iframe, the remote page can open popups outside of the iframe, potentially tricking users and creatβ¦
0.0
CVE-2025-3673 -
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2023-3092.. Reason: This candidate is a reservation duplicate of CVE-2023-3092. Notes: All CVE users should reference CVE-2023-3092. instead of this candidate. All references and descriptions in this candidate have been removed to preβ¦
5.4
CVE-2025-32388 - SvelteKit allows XSS via tracked search_params
SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of event.url.searchParams inside a server load function. Attackers can exploitβ¦
2.6
CVE-2025-32435 - Hydra no restricted eval after nix-eval-jobs migration
Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys, that are owned by the hydra-queue-runner and hydra-www users respectiveβ¦
5.3
CVE-2025-32782 - Ash Authentication email link auto-click account confirmation vulnerability
Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g., Outlook, virus scanners, and email previewers) may automatically followβ¦
6.9
CVE-2025-27929 - Growatt Cloud portal Authorization Bypass Through User-Controlled Key
Unauthenticated attackers can retrieve full list of users associated with arbitrary accounts.
6.9
CVE-2025-24315 - Growatt Cloud portal Authorization Bypass Through User-Controlled Key
Unauthenticated attackers can add devices of other users to their scenes (or arbitrary scenes of other arbitrary users).
7.5
CVE-2025-32784 - conda-forge-webservices has an Unauthorized Artifact Modification Race Condition
conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build infrastructure. This vulnerability, categorized as β¦
6.9
CVE-2025-27561 - Growatt Cloud portal Authorization Bypass Through User-Controlled Key
Unauthenticated attackers can rename "rooms" of arbitrary users.
0.0
CVE-2025-32923 - WordPress Tourmaster plugin < 5.4.1 - Cross Site Scripting (XSS) vulnerability
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoodLayers Tourmaster tourmaster allows Reflected XSS.This issue affects Tourmaster: from n/a through < 5.4.1.