6.9
CVE-2025-25304 - Vega allows Cross-site Scripting via the vlSelectionTuples function
Vega is a visualization grammar, a declarative format for creating, saving, and sharing interactive visualization designs. Prior to version 5.26.0 of vega and 5.4.2 of vega-selections, the `vlSelectionTuples` function can be used to call JavaScript functions, leading to cross-site scripting.`vlSeleโฆ
8.6
CVE-2025-25297 - Label Studio allows Server-Side Request Forgery in the S3 Storage Endpoint
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's S3 storage integration feature contains a Server-Side Request Forgery (SSRF) vulnerability in its endpoint configuration. When creating an S3 storage connection, the application allows users to specify a custโฆ
6.1
CVE-2025-25296 - Label Studio allows Cross-Site Scripting (XSS) via GET request to `/projects/upload-example` endpoiโฆ
Label Studio is an open source data labeling tool. Prior to version 1.16.0, Label Studio's `/projects/upload-example` endpoint allows injection of arbitrary HTML through a `GET` request with an appropriately crafted `label_config` query parameter. By crafting a specially formatted XML label config โฆ
3.1
CVE-2025-0503 - Leaked User IDs and Metadata of Deleted DMs
Mattermost versions 9.11.x <= 9.11.6 fail to filter out DMs from the deleted channels endpoint which allows an attacker to infer user IDs and other metadata from deleted DMs if someone had manually marked DMs as deleted in the database.
8.3
CVE-2025-26508 - Certain HP LaserJet Pro, HP LaserJet Enterprise, HP LaserJet Managed Printers โ Potential Remote Coโฆ
Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print job.
6.3
CVE-2025-26507 - Certain HP LaserJet Pro, HP LaserJet Enterprise, HP LaserJet Managed Printers โ Potential Remote Coโฆ
Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print job.
9.2
CVE-2025-26506 - Certain HP LaserJet Pro, HP LaserJet Enterprise, HP LaserJet Managed Printers โ Potential Remote Coโฆ
Certain HP LaserJet Pro, HP LaserJet Enterprise, and HP LaserJet Managed Printers may potentially be vulnerable to Remote Code Execution and Elevation of Privilege when processing a PostScript print job.
8.7
CVE-2025-25295 - Label Studio has a Path Traversal Vulnerability via image Field
Label Studio is an open source data labeling tool. A path traversal vulnerability in Label Studio SDK versions prior to 1.0.10 allows unauthorized file access outside the intended directory structure. The flaw exists in the VOC, COCO and YOLO export functionalities. These functions invoke a `downloโฆ
8.3
CVE-2025-25206 - Incorrect input validation could allow an authenticated user to read sensitive information
eLabFTW is an open source electronic lab notebook for research labs. Prior to version 5.1.15, an incorrect input validation could allow an authenticated user to read sensitive information, including login token or other content stored in the database. This could lead to privilege escalation if cookโฆ
6.3
CVE-2025-25204 - `gh attestation verify` returns incorrect exit code during verification if no attestations are presโฆ
`gh` is GitHubโs official command line tool. Starting in version 2.49.0 and prior to version 2.67.0, under certain conditions, a bug in GitHub's Artifact Attestation cli tool `gh attestation verify` causes it to return a zero exit status when no attestations are present. This behavior is incorrect:โฆ