6.5
CVE-2025-22602 - Stored DOM-based XSS (without CSP) via video placeholders in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can execute arbitrary JavaScript on users' browsers by posting a malicious video placeholder html element. This issue only affects sites with CSP disabled. This problem has been patched in the latest verβ¦
8.2
CVE-2025-23023 - Anonymous cache poisoning via request headers in Discourse
Discourse is an open source platform for community discussion. In affected versions an attacker can carefully craft a request with the right request headers to poison the anonymous cache (for example, the cache may have a response with missing preloaded data). This issue only affects anonymous visβ¦
5
CVE-2024-45657 - IBM Security Verify Access incorrect privilege assignment
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a local privileged user to perform unauthorized actions due to incorrect permissions assignment.
6.5
CVE-2024-35138 - IBM Security Verify Access cross-site request forgery
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts.
5.9
CVE-2024-43187 - IBM Security Verify Access information disclosure
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 transmits sensitive or security-critical data in cleartext in a communication channel that can be sniffed by unauthorized actors.
2.7
CVE-2024-45658 - IBM Security Verify Access information disclosure
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned. This information could be used in further attacks against the system.
6.1
CVE-2024-40700 - IBM Security Verify Access cross-site scripting
IBM Security Verify Access Appliance and Container 10.0.0 through 10.0.8 is vulnerable to cross-site scripting. This vulnerability allows an unauthenticated attacker to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosuβ¦
7.3
CVE-2025-0509 - Signing Checks Bypass
A security issue was found in Sparkle before version 2.6.4. An attacker can replace an existing signed update with another payload, bypassing Sparkleβs (Ed)DSA signing checks.
6
CVE-2025-0630 - Western Telematic Inc NPS Series, DSM Series, CPM Series External Control of File Name or Path
Multiple Western Telematic (WTI) products contain a web interface that is vulnerable to a local file inclusion attack (LFI), where any authenticated user has privileged access to files on the device's filesystem.
5.9
CVE-2025-24963 - Browser mode serves arbitrary files in vitest
Vitest is a testing framework powered by Vite. The `__screenshot-error` handler on the browser mode HTTP server that responds any file on the file system. Especially if the server is exposed on the network by `browser.api.host: true`, an attacker can send a request to that handler from remote to geβ¦