5.1
CVE-2025-5879 - WuKongOpenSource WukongCRM File Upload AdminSysConfigController.java cross site scripting
A vulnerability, which was classified as problematic, was found in WuKongOpenSource WukongCRM 9.0. This affects an unknown part of the file AdminSysConfigController.java of the component File Upload. The manipulation of the argument File leads to cross site scripting. It is possible to initiate theβ¦
6
CVE-2025-49130 - Laravel Translation Manager Vulnerable to Stored Cross-site Scripting
Laravel Translation Manager is a package to manage Laravel translation files. Prior to version 0.6.8, the application is vulnerable to Cross-Site Scripting (XSS) attacks due to incorrect input validation and sanitization of user-input data. An attacker can inject arbitrary HTML code, including Javaβ¦
10
CVE-2025-49013 - WilderForge vulnerable to code Injection via GitHub Actions Workflows
WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of `${{ github.event.review.body }}` and other user controlled variables directly inside shell script contexts in Giβ¦
6.3
CVE-2025-49131 - FastGPT Sandbox Vulnerable to Sandbox Bypass
FastGPT is an open-source project that provides a platform for building, deploying, and operating AI-driven workflows and conversational agents. The Sandbox container (fastgpt-sandbox) is a specialized, isolated environment used by FastGPT to safely execute user-submitted or dynamically generated cβ¦
8.2
CVE-2025-49006 - Wasp has case insensitive OAuth ID vulnerability
Wasp (Web Application Specification) is a Rails-like framework for React, Node.js, and Prisma. Prior to version 0.16.6, Wasp authentication has a vulnerability in the OAuth authentication implementation (affecting only Keycloak with a specific config). Wasp currently lowercases OAuth user IDs beforβ¦
8.1
CVE-2025-48877 - Discourse vulnerable to auto-executing of third-party code in embedded CodePen iframe
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, Codepen is present in the default `allowed_iframes` site setting, and it can potentially auto-run arbitβ¦
7.1
CVE-2025-48062 - Discourse vulnerable to HTML injection when inviting to topic via email
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, certain invites via email may result in HTML injection in the email body if the topic title includes HTβ¦
5.3
CVE-2025-5877 - Fengoffice Feng Office Document Upload ApplicationDataObject.class.php xml external entity reference
A vulnerability, which was classified as problematic, has been found in Fengoffice Feng Office 3.2.2.1. Affected by this issue is some unknown functionality of the file /application/models/ApplicationDataObject.class.php of the component Document Upload Handler. The manipulation leads to xml externβ¦
8.7
CVE-2025-48053 - Discourse vulnerable to DoS via large URL payload in PM to a bot
Discourse is an open-source discussion platform. Prior to version 3.4.4 of the `stable` branch, version 3.5.0.beta5 of the `beta` branch, and version 3.5.0.beta6-dev of the `tests-passed` branch, sending a malicious URL in a PM to a bot user can cause a reduced the availability of a Discourse instaβ¦
7.1
CVE-2025-40670 - Incorrect Authorization vulnerability in TCMAN GIM
Incorrect authorization vulnerability in TCMAN's GIM v11. This vulnerability allows an unprivileged attacker to create a user and assign it many privileges by sending a POST request to /PC/frmGestionUser.aspx/updateUser.