7.5
CVE-2025-1713 - deadlock potential with VT-d and legacy PCI device pass-through
When setting up interrupt remapping for legacy PCI(-X) devices, including PCI(-X) bridges, a lookup of the upstream bridge is required. This lookup, itself involving acquiring of a lock, is done in a context where acquiring that lock is unsafe. This can lead to a deadlock.
4.6
CVE-2025-53928 - MaxKB has RCE in MCP call
MaxKB is an open-source AI assistant for enterprise. Prior to versions 1.10.9-lts and 2.0.0, a Remote Command Execution vulnerability exists in the MCP call. Versions 1.10.9-lts and 2.0.0 fix the issue.
4.6
CVE-2025-53927 - MaxKB sandbox bypass
MaxKB is an open-source AI assistant for enterprise. Prior to version 2.0.0, the sandbox design rules can be bypassed because MaxKB only restricts the execution permissions of files in a specific directory. Therefore, an attacker can use the `shutil.copy2` method in Python to copy the command they β¦
9.1
CVE-2025-53909 - mailcow: dockerized vulnerable to SSTI in Quota and Quarantine Notification Template
mailcow: dockerized is an open source groupware/email suite based on docker. A Server-Side Template Injection (SSTI) vulnerability exists in versions prior to 2025-07 in the notification template system used by mailcow for sending quota and quarantine alerts. The template rendering engine allows teβ¦
6.5
CVE-2025-40924 - Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely
Catalyst::Plugin::Session before version 0.44 for Perl generates session ids insecurely. The session id is generated from a (usually SHA-1) hash of a simple counter, the epoch time, the built-in rand function, the PID and the current Catalyst context. This information is of low entropy. The PID wiβ¦
5.1
CVE-2025-5346 - File removal via path traversal in unsecured broadcast receiver in Bluebird barcode scanner applicaβ¦
Bluebird devices contain a pre-loaded barcode scanner application. This application exposes an unsecured broadcast receiver "kr.co.bluebird.android.bbsettings.BootReceiver". A local attacker can call the receiver to overwrite file containing ".json" keyword with default barcode config file. It is pβ¦
8.5
CVE-2025-5344 - Exposed AIDL service allowing for tampering of system secure settings in Bluebird kiosk application
Bluebird devices contain a pre-loaded kiosk application. This application exposes an unsecured service provider "com.bluebird.kiosk.launcher.IpartnerKioskRemoteService". A local attacker can bind to the AIDL-type service to modify device's global settings and wallpaper image. This issue affects alβ¦
6.3
CVE-2025-5345 - Exposed AIDL service allowing to read and delete files with system-level privileges in Bluebird filβ¦
Bluebird devices contain a pre-loaded file manager application. This application exposes an unsecured service provider "com.bluebird.system.koreanpost.IsdcardRemoteService". A local attacker can bind to the AIDL-type service to copy and delete arbitrary files from device's storage with system-levelβ¦
5.3
CVE-2025-4302 - Stop User Enumeration < 1.7.3 - Protection Bypass
The Stop User Enumeration WordPress plugin before version 1.7.3 blocks REST API /wp-json/wp/v2/users/ requests for non-authorized users. However, this can be bypassed by URL-encoding the API path.
8.7
CVE-2025-7735 - UNIMAXο½Hospital Information System - SQL Injection
The Hospital Information System developed by UNIMAX has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.