6.1
CVE-2025-2748 - Kentico Xperience stored cross-site scripting in multiple-file upload functionality
TheΒ Kentico Xperience application does not fully validate or filter files uploaded via the multiple-file upload functionality, which allows for stored XSS.This issue affects Kentico Xperience through 13.0.178.
7.2
CVE-2025-2749 - Kentico Xperience <= 13.0.178 Staging Media File Upload Authenticated RCE
An authenticated remote code execution in Kentico Xperience allows authenticated users Staging Sync Server to upload arbitrary data to path relative locations. This results in path traversal and arbitrary file upload, including content that can be executed server side leading to remote code executiβ¦
9.8
CVE-2025-2747 - Kentico Xperience <= 13.0.178 Staging Sync Server None Password Type Authentication Bypass
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server component password handling for the server defined None type. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13.0.178.
9.8
CVE-2025-2746 - Kentico Xperience <= 13.0.172 Staging Sync Server Digest Password Authentication Bypass
An authentication bypass vulnerability in Kentico Xperience allows authentication bypass via the Staging Sync Server password handling of empty SHA1 usernames in digest authentication. Authentication bypass allows an attacker to control administrative objects.This issue affects Xperience through 13β¦
5.3
CVE-2025-22223 - spring-security: authorization bypass via incorrectly locating method security annotations on paramβ¦
Spring Security 6.4.0 - 6.4.3 may not correctly locate method security annotations on parameterized types or methods. This may cause an authorization bypass.Β You are not affected if you are not using @EnableMethodSecurity, or you do not have method security annotations on parameterized types or mβ¦
5.3
CVE-2025-30208 - Vite bypasses server.fs.deny when using `?raw??`
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content iβ¦
7.6
CVE-2025-30205 - kanidm-provision leaks provisioned admin credentials into the system log
kanidim-provision is a helper utility that uses kanidm's API to provision users, groups and oauth2 systems. Prior to version 1.2.0, a faulty function intrumentation in the (optional) kanidm patches provided by kandim-provision will cause the provisioned admin credentials to be leaked to the system β¦
5.8
CVE-2025-29778 - Kyverno ignores subjectRegExp and IssuerRegExp
Kyverno is a policy engine designed for cloud native platform engineering teams. Prior to version 1.14.0-alpha.1, Kyverno ignores subjectRegExp and IssuerRegExp while verifying artifact's sign with keyless mode. It allows the attacker to deploy kubernetes resources with the artifacts that were signβ¦
7.2
CVE-2025-0255 - HCL DevOps Deploy / HCL Launch is susceptible to command injection vulnerability
HCL DevOps Deploy / HCL Launch could allow a remote privileged authenticated attacker to execute arbitrary commands on the system by sending specially crafted input containing special elements.
6.1
CVE-2024-9103 - Persistent XSS in blocked messages
Improper Neutralization of Script in Attributes in a Web Page vulnerability in Forcepoint Email Security (Blocked Messages module) allows Stored XSS. This issue affects Email Security through 8.5.5.