0
CVE-2025-3469 - i18n XSS vulnerability in HTMLMultiSelectField when sections are used
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLMultiSelectField.Php. This issue affects MediaWiki: before 1.39.12, 1.42.6, β¦
5.3
CVE-2025-22232 - Spring Cloud Config Server May Not Use Vault Token Sent By Clients
Spring Cloud Config Server may not use Vault token sent by clients using a X-CONFIG-TOKENΒ header when making requests to Vault. Your application may be affected by this if the following are true: * You have Spring Vault on the classpath of your Spring Cloud Config Server and * You are using tβ¦
2.7
CVE-2025-24866 - Unauthorized Access to User Activity Logs API by delegated granular administration roles
Mattermost versions 9.11.x <= 9.11.8Β fail to enforce proper access controls on the /api/v4/audits endpoint, allowing users with delegated granular administration roles who lack access to Compliance Monitoring to retrieve User Activity Logs.
1.8
CVE-2025-32382 - Snowflake credentials logged by the Metabase backend
Metabase is an open source Business Intelligence and Embedded Analytics tool. When admins change Snowflake connection details in Metabase (either updating a password or changing password to private key or vice versa), Metabase would not always purge older Snowflake connection details from the appliβ¦
6.1
CVE-2025-32027 - Yii does not prevent XSS in scenarios where fallback error renderer is used
Yii is an open source PHP web framework. Prior to 1.1.31, yiisoft/yii is vulnerable to Reflected XSS in specific scenarios where the fallback error renderer is used. Upgrade yiisoft/yii to version 1.1.31 or higher.
6.4
CVE-2025-0362 - Improper Restriction of Rendered UI Layers or Frames in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 7.7 before 17.8.7, 17.9 before 17.9.6, and 17.10 before 17.10.4. Under certain conditions, an attacker could potentially trick users into unintentionally authorizing sensitive actions on their behalf.
6.5
CVE-2025-4574 - Crossbeam-channel: crossbeam-channel vulnerable to double free on drop
In crossbeam-channel rust crate, the internal `Channel` type's `Drop` method has a race condition which could, in some circumstances, lead to a double-free that could result in memory corruption.
3.7
CVE-2025-2469 - Debug Messages Revealing Unnecessary Information in GitLab
An issue has been discovered in GitLab CE/EE affecting all versions from 17.9 before 17.9.6, and 17.10 before 17.10.4. The runtime profiling data of a specific service was accessible to unauthenticated users.
4
CVE-2023-43035 - IBM Sterling Control Center information disclosure
IBM Sterling Control Center 6.2.1, 6.3.1, and 6.4.0 allows web pages to be stored locally which can be read by another user on the system.
6
CVE-2025-32395 - Vite has an `server.fs.deny` bypass with an invalid `request-target`
Vite is a frontend tooling framework for javascript. Prior to 6.2.6, 6.1.5, 6.0.15, 5.4.18, and 4.5.13, the contents of arbitrary files can be returned to the browser if the dev server is running on Node or Bun. HTTP 1.1 spec (RFC 9112) does not allow # in request-target. Although an attacker can sβ¦