4.6
CVE-2024-47770 - Ability to view Agent list with no privilege access in wazuh-dashboard
Wazuh is a free and open source platform used for threat prevention, detection, and response. It is capable of protecting workloads across on-premises, virtualized, containerized, and cloud-based environments. This vulnerability occurs when the system has weak privilege access, that allows an attacβ¦
4.3
CVE-2025-22129 - Initial effort field does not respect field permissions in the Taskboard REST card representation iβ¦
Tuleap is an Open Source Suite to improve management of software developments and collaboration. In affected versions an unauthorized user might get access to restricted information. This issue has been addressed in Tuleap Community Edition 16.3.99.1736242932, Tuleap Enterprise Edition 16.2-5, and β¦
5.3
CVE-2025-24029 - Artifact permissions are not verified in the Cross Tracker Search widget in Tuleap
Tuleap is an Open Source Suite to improve management of software developments and collaboration. Users (possibly anonymous ones if the widget is used in the dashboard of a public project) might get access to artifacts they should not see. This issue has been addressed in Tuleap Community Edition 16β¦
7.1
CVE-2025-24371 - Malicious peer can make node stuck in blocksync in github.com/cometbft/cometbft
CometBFT is a distributed, Byzantine fault-tolerant, deterministic state machine replication engine. In the `blocksync` protocol peers send their `base` and `latest` heights when they connect to a new node (`A`), which is syncing to the tip of a network. `base` acts as a lower ground and informs `Aβ¦
4.8
CVE-2025-23210 - Bypass XSS sanitizer using the javascript protocol and special characters in phpoffice/phpspreadsheβ¦
phpoffice/phpspreadsheet is a pure PHP library for reading and writing spreadsheet files. Affected versions have been found to have a Bypass of the Cross-site Scripting (XSS) sanitizer using the javascript protocol and special characters. This issue has been addressed in versions 3.9.0, 2.3.7, 2.1.β¦
9.3
CVE-2025-24370 - Django-Unicorn Class Pollution Vulnerability, Leading to XSS, DoS and Authentication Bypass
Django-Unicorn adds modern reactive component functionality to Django templates. Affected versions of Django-Unicorn are vulnerable to python class pollution vulnerability. The vulnerability arises from the core functionality `set_property_value`, which can be remotely triggered by users by craftinβ¦
7.1
CVE-2025-24899 - Disclosure of Sensitive User Information via API in reNgine
reNgine is an automated reconnaissance framework for web applications. A vulnerability was discovered in reNgine, where **an insider attacker with any role** (such as Auditor, Penetration Tester, or Sys Admin) **can extract sensitive information from other reNgine users.** After running a scan and β¦
8.7
CVE-2025-24962 - Command Injection in reNgine
reNgine is an automated reconnaissance framework for web applications. In affected versions a user can inject commands via the nmap_cmd parameters. This issue has been addressed in commit `c28e5c8d` and is expected in the next versioned release. Users are advised to filter user input and monitor thβ¦
1
CVE-2025-24959 - Environment Variable Injection for dotenv API in zx
zx is a tool for writing better scripts. An attacker with control over environment variable values can inject unintended environment variables into `process.env`. This can lead to arbitrary command execution or unexpected behavior in applications that rely on environment variables for security-sensβ¦
8.7
CVE-2025-24960 - Missing Input validation for filename in backups endpoint in Jellystat
Jellystat is a free and open source Statistics App for Jellyfin. In affected versions Jellystat is directly using a user input in the route(s). This can lead to Path Traversal Vulnerabilities. Since this functionality is only for admin(s), there is very little scope for abuse. However, the `DELETE`β¦