7.7
CVE-2025-68477 - Langflow vulnerable to Server-Side Request Forgery
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to version 1.7.0, Langflow provides an API Request component that can issue arbitrary HTTP requests within a flow. This component takes a user-supplied URL, performs only normalization and basic format checks, and β¦
1.7
CVE-2025-68457 - Orejime has executable code in HTML attributes
Orejime is a consent manager that focuses on accessibility. On HTML elements handled by Orejime prior to version 2.3.2, one could run malicious code by embedding `javascript:` code within data attributes. When consenting to the related purpose, Orejime would turn data attributes into unprefixed oneβ¦
7.4
CVE-2025-14809 - Address bar spoofing risk in ArcSearch on Android
ArcSearch for Android versions prior to 1.12.6 could display a different domain in the address bar than the content being shown, enabling address bar spoofing after user interaction via crafted web content.
7.5
CVE-2025-14812 - Address bar spoofing risk in Arc Search on iOS
ArcSearch for iOS versions prior to 1.45.2 could display a different domain in the address bar than the content being shown after an iframe-triggered URI-scheme navigation, increasing spoofing risk.
9.7
CVE-2025-66580 - Dive has Cross-Site Scripting vulnerability that can escalate to Remote Code Execution
Dive is an open-source MCP Host Desktop Application that enables integration with function-calling LLMs. A critical Stored Cross-Site Scripting (XSS) vulnerability exists in versions prior to 0.11.1 in the Mermaid diagram rendering component. The application allows the execution of arbitrary JavaScβ¦
6.4
CVE-2025-65035 - GLPI Database Inventory Plugin Vulnerable to Stored Object Injection
pluginsGLPI's Database Inventory Plugin "manages" the Teclib' inventory agents in order to perform an inventory of the databases present on the workstation. Prior to version 1.1.2, in certain conditions (database write access must first be obtained through another vulnerability or misconfiguration)β¦
6.8
CVE-2023-30971 - Gaia unauthenticated endpoints
Gotham Gaia application was found to be exposing multiple unauthenticated endpoints.
9.1
CVE-2024-49587 - Glutton V1 endpoints missing authentication
Glutton V1 service endpoints were exposed without any authentication on Gotham stacks, this could have allowed users that did not have any permission to hit glutton backend directly and read/update/delete data. The affected service has been patched and automatically deployed to all Apollo-managed Gβ¦
4.8
CVE-2025-14956 - WebAssembly Binaryen wasm-binary.cpp readExport heap-based overflow
A vulnerability was determined in WebAssembly Binaryen up to 125. Affected by this issue is the function WasmBinaryReader::readExport of the file src/wasm/wasm-binary.cpp. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The exploit has beeβ¦
6.3
CVE-2025-14955 - Open5GS PFCP handler.c ogs_pfcp_handle_create_pdr initialization
A vulnerability was found in Open5GS up to 2.7.5. Affected by this vulnerability is the function ogs_pfcp_handle_create_pdr in the library lib/pfcp/handler.c of the component PFCP. The manipulation results in improper initialization. It is possible to launch the attack remotely. This attack is charβ¦