5.4
CVE-2025-23221 - Fedify has an Infinite loop and Blind SSRF found inside the Webfinger mechanism
Fedify is a TypeScript library for building federated server apps powered by ActivityPub and other standards. This vulnerability allows a user to maneuver the Webfinger mechanism to perform a GET request to any internal resource on any Host, Port, URL combination regardless of present security mechβ¦
5.3
CVE-2025-24013 - CodeIgniter validation of header name and value
CodeIgniter is a PHP full-stack web framework. Prior to 4.5.8, CodeIgniter lacked proper header validation for its name and value. The potential attacker can construct deliberately malformed headers with Header class. This could disrupt application functionality, potentially causing errors or generβ¦
6.5
CVE-2025-24010 - Vite allows any websites to send any requests to the development server and read the response
Vite is a frontend tooling framework for javascript. Vite allowed any websites to send any requests to the development server and read the response due to default CORS settings and lack of validation on the Origin header for WebSocket connections. This vulnerability is fixed in 6.0.9, 5.4.12, and 4β¦
10
CVE-2025-23220 - WeGIA has a SQL Injection endpoint 'adicionar_raca.php' parameter 'raca'
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_raca.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in tβ¦
10
CVE-2025-23219 - WeGIA has a SQL Injection endpoint 'adicionar_cor.php' parameter 'cor'
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_cor.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands in thβ¦
10
CVE-2025-23218 - WeGIA has a SQL Injection endpoint 'adicionar_especie.php' parameter 'especie'
WeGIA is an open source web manager with a focus on the Portuguese language and charitable institutions. A SQL Injection vulnerability was identified in the WeGIA application, specifically in the adicionar_especie.php endpoint. This vulnerability allows attackers to execute arbitrary SQL commands iβ¦
6.8
CVE-2025-23044 - Cross-Site Request Forgery (CSRF) allows creating admin account with POST request
PwnDoc is a penetration test report generator. There is no CSRF protection in pwndoc, allowing attackers to send requests on a logged-in user's behalf. This includes GET and POST requests due to the missing SameSite= attribute on cookies and the ability to refresh cookies. Commit 14acb704891245bf17β¦
5
CVE-2025-22620 - gix-worktree-state nonexclusive checkout sets executable files world-writable
gitoxide is an implementation of git written in Rust. Prior to 0.17.0, gix-worktree-state specifies 0777 permissions when checking out executable files, intending that the umask will restrict them appropriately. But one of the strategies it uses to set permissions is not subject to the umask. This β¦
5.1
CVE-2025-22131 - Cross-Site Scripting (XSS) vulnerability in generateNavigation() function
PhpSpreadsheet is a PHP library for reading and writing spreadsheet files. Cross-Site Scripting (XSS) vulnerability in the code which translates the XLSX file into a HTML representation and displays it in the response.
7.7
CVE-2024-51738 - Sunshine improperly enforces pairing protocol request order
Sunshine is a self-hosted game stream host for Moonlight. In 0.23.1 and earlier, Sunshine's pairing protocol implementation does not validate request order and is thereby vulnerable to a MITM attack, potentially allowing an unauthenticated attacker to pair a client by hijacking a legitimate pairingβ¦