8.1
CVE-2025-64101 - ZITADEL Vulnerable to Account Takeover via Malicious Forwarded Header Injection
Zitadel is open-source identity infrastructure software. Prior to 4.6.0, 3.4.3, and 2.71.18, a potential vulnerability exists in ZITADEL's password reset mechanism. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmatโฆ
7.5
CVE-2025-11232 - Invalid characters cause assert
To trigger the issue, three configuration parameters must have specific settings: "hostname-char-set" must be left at the default setting, which is "[^A-Za-z0-9.-]"; "hostname-char-replacement" must be empty (the default); and "ddns-qualifying-suffix" must *NOT* be empty (the default is empty). DDNโฆ
6.1
CVE-2025-64100 - CKAN Vulnerable to Session Cookie Fixation
CKAN is an open-source DMS (data management system) for powering data hubs and data portals. Prior to 2.10.9 and 2.11.4, session ids could be fixed by an attacker if the site is configured with server-side session storage (CKAN uses cookie-based session storage by default). The attacker would need โฆ
8.6
CVE-2025-62797 - CSRF in FluxCP account endpoints allows account takeover / state-changing actions
FluxCP is a web-based Control Panel for rAthena servers written in PHP. A critical Cross-Site Request Forgery (CSRF) vulnerability exists in the FluxCP-based website template used by multiple rAthena/Ragnarok servers. State-changing POST endpoints accept browser-initiated requests that are authorizโฆ
6.3
CVE-2025-1549 - WatchGuard Mobile VPN with SSL Local Privilege Escallation
A local privilege escalation vulnerability in the WatchGuard Mobile VPN with SSL client on Windows enables a local user to execute arbitrary commands with elevated privileges on the Windows system. This vulnerability is an additional unmitigated attack path for CVE-2024-4944. This vulnerabilitโฆ
10
CVE-2025-12479 - Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation
Systemic Lack of Cross-Site Request Forgery (CSRF) Token Implementation.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5 .
6.9
CVE-2025-62792 - Wazuh vulnerable to Heap-based Buffer Over-read in w_expression_match
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.12.0, a buffer over-read occurs in w_expression_match() when strlen() is called on str_test, because the corresponding buffer is not being properly NULL terminated during its allocation in OS_Clโฆ
6.9
CVE-2025-62791 - Wazuh vulnerable to NULL pointer dereference in DecodeCiscat
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, DecodeCiscat() implementation does not check the return the value of cJSON_GetObjectItem() for a possible NULL value in case of an error. A compromised agent can cause a crash of analysisdโฆ
6.9
CVE-2025-62790 - Wazuh vulnerable to NULL pointer dereference in fim_fetch_attributes_state
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_fetch_attributes_state() implementation does not check whether time_string is NULL or not before calling strlen() on it. A compromised agent can cause a crash of analysisd by sending aโฆ
6.9
CVE-2025-62789 - Wazuh vulnerable to NULL pointer dereference in fim_alert line 712
Wazuh is a free and open source platform used for threat prevention, detection, and response. Prior to 4.11.0, fim_alert() implementation does not check whether the return value of ctime_r is NULL or not before calling strdup() on it. A compromised agent can cause a crash of analysisd by sending a โฆ