Search criteria
9498 vulnerabilities
CVE-2025-66564 (GCVE-0-2025-66564)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:37 – Updated: 2025-12-04 22:37
VLAI?
Summary
Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function's argument). This vulnerability is fixed in 2.0.3.
Severity ?
7.5 (High)
CWE
- CWE-405 - Asymmetric Resource Consumption (Amplification)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| sigstore | timestamp-authority |
Affected:
< 2.0.3
|
{
"containers": {
"cna": {
"affected": [
{
"product": "timestamp-authority",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003c 2.0.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sigstore Timestamp Authority is a service for issuing RFC 3161 timestamps. Prior to 2.0.3, Function api.ParseJSONRequest currently splits (via a call to strings.Split) an optionally-provided OID (which is untrusted data) on periods. Similarly, function api.getContentType splits the Content-Type header (which is also untrusted data) on an application string. As a result, in the face of a malicious request with either an excessively long OID in the payload containing many period characters or a malformed Content-Type header, a call to api.ParseJSONRequest or api.getContentType incurs allocations of O(n) bytes (where n stands for the length of the function\u0027s argument). This vulnerability is fixed in 2.0.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:37:13.307Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/timestamp-authority/security/advisories/GHSA-4qg8-fj49-pxjh"
},
{
"name": "https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/timestamp-authority/commit/0cae34e197d685a14904e0bad135b89d13b69421"
}
],
"source": {
"advisory": "GHSA-4qg8-fj49-pxjh",
"discovery": "UNKNOWN"
},
"title": "Sigstore Timestamp Authority allocates excessive memory during request parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66564",
"datePublished": "2025-12-04T22:37:13.307Z",
"dateReserved": "2025-12-04T16:05:22.975Z",
"dateUpdated": "2025-12-04T22:37:13.307Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66563 (GCVE-0-2025-66563)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:34 – Updated: 2025-12-04 22:34
VLAI?
Summary
Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they're inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags).
Severity ?
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| monkeytypegame | monkeytype |
Affected:
<= 25.49.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "monkeytype",
"vendor": "monkeytypegame",
"versions": [
{
"status": "affected",
"version": "\u003c= 25.49.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Monkeytype is a minimalistic and customizable typing test. In 25.49.0 and earlier, there is improper handling of user input which allows an attacker to execute malicious javascript on anyone viewing a malicious quote submission. quote.text and quote.source are user input, and they\u0027re inserted straight into the DOM. If they contain HTML tags, they will be rendered (after some escaping using quotes and textarea tags)."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:34:10.010Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/monkeytypegame/monkeytype/security/advisories/GHSA-mfjh-9552-8g27"
},
{
"name": "https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/monkeytypegame/monkeytype/commit/d6d062a77132ba7d6ba3b482d46ae329d3b8d695"
}
],
"source": {
"advisory": "GHSA-mfjh-9552-8g27",
"discovery": "UNKNOWN"
},
"title": "Monkeytype vulnerable to stored XSS in approve quotes page"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66563",
"datePublished": "2025-12-04T22:34:10.010Z",
"dateReserved": "2025-12-04T16:05:22.975Z",
"dateUpdated": "2025-12-04T22:34:10.010Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66561 (GCVE-0-2025-66561)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:27 – Updated: 2025-12-04 22:27
VLAI?
Summary
SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102.
Severity ?
7.3 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Syslifters | sysreptor |
Affected:
< 2025.102
|
{
"containers": {
"cna": {
"affected": [
{
"product": "sysreptor",
"vendor": "Syslifters",
"versions": [
{
"status": "affected",
"version": "\u003c 2025.102"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SysReptor is a fully customizable pentest reporting platform. Prior to 2025.102, there is a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated users to execute malicious JavaScript in the context of other logged-in users by uploading malicious JavaScript files in the web UI. This vulnerability is fixed in 2025.102."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:27:52.015Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-64vw-v5c4-mgvm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Syslifters/sysreptor/security/advisories/GHSA-64vw-v5c4-mgvm"
}
],
"source": {
"advisory": "GHSA-64vw-v5c4-mgvm",
"discovery": "UNKNOWN"
},
"title": "SysReptor Vulnerable to an Authenticated Stored Cross-Site Scripting (XSS)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66561",
"datePublished": "2025-12-04T22:27:52.015Z",
"dateReserved": "2025-12-04T16:05:22.974Z",
"dateUpdated": "2025-12-04T22:27:52.015Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66559 (GCVE-0-2025-66559)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:23 – Updated: 2025-12-04 22:23
VLAI?
Summary
Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer.
Severity ?
CWE
- CWE-129 - Improper Validation of Array Index
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| taikoxyz | taiko-mono |
Affected:
<= 2.3.1
|
{
"containers": {
"cna": {
"affected": [
{
"product": "taiko-mono",
"vendor": "taikoxyz",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.3.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Taiko Alethia is an Ethereum-equivalent, permissionless, based rollup designed to scale Ethereum without compromising its fundamental properties. In 2.3.1 and earlier, TaikoInbox._verifyBatches (packages/protocol/contracts/layer1/based/TaikoInbox.sol:627-678) advanced the local tid to whatever transition matched the current blockHash before knowing whether that batch would actually be verified. When the loop later broke (e.g., cooldown window not yet passed or transition invalidated), the function still wrote that newer tid into batches[lastVerifiedBatchId].verifiedTransitionId after decrementing batchId. Result: the last verified batch could end up pointing at a transition index from the next batch (often zeroed), corrupting the verified chain pointer."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-129",
"description": "CWE-129: Improper Validation of Array Index",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:23:55.608Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/taikoxyz/taiko-mono/security/advisories/GHSA-5mxh-r33p-6h5x"
},
{
"name": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/taikoxyz/taiko-mono/commit/379f5cb4ffe9e1945563ab2c7740bc9f4ea004d8"
}
],
"source": {
"advisory": "GHSA-5mxh-r33p-6h5x",
"discovery": "UNKNOWN"
},
"title": "Taiko Alethia Pacaya inbox verification pointer corruption"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66559",
"datePublished": "2025-12-04T22:23:55.608Z",
"dateReserved": "2025-12-04T16:01:32.473Z",
"dateUpdated": "2025-12-04T22:23:55.608Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66509 (GCVE-0-2025-66509)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:10 – Updated: 2025-12-04 22:10
VLAI?
Summary
LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator’s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution.
Severity ?
CWE
- CWE-284 - Improper Access Control
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| laradashboard | laradashboard |
Affected:
<= 2.3.0
|
{
"containers": {
"cna": {
"affected": [
{
"product": "laradashboard",
"vendor": "laradashboard",
"versions": [
{
"status": "affected",
"version": "\u003c= 2.3.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LaraDashboard is an all-In-one solution to start a Laravel Application. In 2.3.0 and earlier, the password reset flow trusts the Host header, allowing attackers to redirect the administrator\u2019s reset token to an attacker-controlled server. This can be combined with the module installation process to automatically execute the ServiceProvider::boot() method, enabling arbitrary PHP code execution."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.9,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:10:26.848Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/laradashboard/laradashboard/security/advisories/GHSA-j9mm-c9cj-pc82"
},
{
"name": "https://github.com/laradashboard/laradashboard/commit/cc42f9cdf8e59bce794ee2d812a9709b1e6efa87",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/laradashboard/laradashboard/commit/cc42f9cdf8e59bce794ee2d812a9709b1e6efa87"
}
],
"source": {
"advisory": "GHSA-j9mm-c9cj-pc82",
"discovery": "UNKNOWN"
},
"title": "LaraDashboard: 1-Click Pre-Auth RCE via Host Header + Module Installation Chain"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66509",
"datePublished": "2025-12-04T22:10:26.848Z",
"dateReserved": "2025-12-03T15:12:22.978Z",
"dateUpdated": "2025-12-04T22:10:26.848Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66506 (GCVE-0-2025-66506)
Vulnerability from cvelistv5 – Published: 2025-12-04 22:04 – Updated: 2025-12-04 22:04
VLAI?
Summary
Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function's argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3.
Severity ?
7.5 (High)
CWE
- CWE-405 - Asymmetric Resource Consumption (Amplification)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
{
"containers": {
"cna": {
"affected": [
{
"product": "fulcio",
"vendor": "sigstore",
"versions": [
{
"status": "affected",
"version": "\u003c 1.8.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Fulcio is a free-to-use certificate authority for issuing code signing certificates for an OpenID Connect (OIDC) identity. Prior to 1.8.3, function identity.extractIssuerURL splits (via a call to strings.Split) its argument (which is untrusted data) on periods. As a result, in the face of a malicious request with an (invalid) OIDC identity token in the payload containing many period characters, a call to extractIssuerURL incurs allocations to the tune of O(n) bytes (where n stands for the length of the function\u0027s argument), with a constant factor of about 16. This vulnerability is fixed in 1.8.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-405",
"description": "CWE-405: Asymmetric Resource Consumption (Amplification)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T22:04:41.637Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/sigstore/fulcio/security/advisories/GHSA-f83f-xpx7-ffpw"
},
{
"name": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/sigstore/fulcio/commit/765a0e57608b9ef390e1eeeea8595b9054c63a5a"
}
],
"source": {
"advisory": "GHSA-f83f-xpx7-ffpw",
"discovery": "UNKNOWN"
},
"title": "Fulcio allocates excessive memory during token parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66506",
"datePublished": "2025-12-04T22:04:41.637Z",
"dateReserved": "2025-12-03T15:12:22.978Z",
"dateUpdated": "2025-12-04T22:04:41.637Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66479 (GCVE-0-2025-66479)
Vulnerability from cvelistv5 – Published: 2025-12-04 20:57 – Updated: 2025-12-04 20:57
VLAI?
Summary
Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16.
Severity ?
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anthropic-experimental | sandbox-runtime |
Affected:
< 0.0.16
|
{
"containers": {
"cna": {
"affected": [
{
"product": "sandbox-runtime",
"vendor": "anthropic-experimental",
"versions": [
{
"status": "affected",
"version": "\u003c 0.0.16"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Anthropic Sandbox Runtime is a lightweight sandboxing tool for enforcing filesystem and network restrictions on arbitrary processes at the OS level, without requiring a container. Prior to 0.0.16, due to a bug in sandboxing logic, sandbox-runtime did not properly enforce a network sandbox if the sandbox policy did not configure any allowed domains. This could allow sandboxed code to make network requests outside of the sandbox. A patch for this was released in v0.0.16."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "LOCAL",
"baseScore": 1.8,
"baseSeverity": "LOW",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T20:57:20.631Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anthropic-experimental/sandbox-runtime/security/advisories/GHSA-9gqj-5w7c-vx47"
},
{
"name": "https://github.com/anthropic-experimental/sandbox-runtime/commit/bea2930cc1db9c73a1b15acf6dc19c5261aec1f3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/anthropic-experimental/sandbox-runtime/commit/bea2930cc1db9c73a1b15acf6dc19c5261aec1f3"
}
],
"source": {
"advisory": "GHSA-9gqj-5w7c-vx47",
"discovery": "UNKNOWN"
},
"title": "Anthropic Sandbox Runtime Incorrectly Implemented Network Sandboxing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66479",
"datePublished": "2025-12-04T20:57:20.631Z",
"dateReserved": "2025-12-02T17:09:52.016Z",
"dateUpdated": "2025-12-04T20:57:20.631Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65959 (GCVE-0-2025-65959)
Vulnerability from cvelistv5 – Published: 2025-12-04 20:46 – Updated: 2025-12-04 20:46
VLAI?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI's Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37.
Severity ?
8.7 (High)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.6.37
|
{
"containers": {
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Stored XSS vulnerability was discovered in Open-WebUI\u0027s Notes PDF download functionality. An attacker can import a Markdown file containing malicious SVG tags into Notes, allowing them to execute arbitrary JavaScript code and steal session tokens when a victim downloads the note as PDF. This vulnerability can be exploited by any authenticated user, and unauthenticated external attackers can steal session tokens from users (both admin and regular users) by sharing specially crafted markdown files. This vulnerability is fixed in 0.6.37."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T20:46:36.575Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8wvc-869r-xfqf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-8wvc-869r-xfqf"
},
{
"name": "https://github.com/open-webui/open-webui/commit/03cc6ce8eb5c055115406e2304fbf7e3338b8dce",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/03cc6ce8eb5c055115406e2304fbf7e3338b8dce"
}
],
"source": {
"advisory": "GHSA-8wvc-869r-xfqf",
"discovery": "UNKNOWN"
},
"title": "Open WebUI vulnerable to Stored DOM XSS via Note \u0027Download PDF\u0027"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65959",
"datePublished": "2025-12-04T20:46:36.575Z",
"dateReserved": "2025-11-18T16:14:56.694Z",
"dateUpdated": "2025-12-04T20:46:36.575Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65958 (GCVE-0-2025-65958)
Vulnerability from cvelistv5 – Published: 2025-12-04 19:55 – Updated: 2025-12-04 19:55
VLAI?
Summary
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37.
Severity ?
8.5 (High)
CWE
- CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| open-webui | open-webui |
Affected:
< 0.6.37
|
{
"containers": {
"cna": {
"affected": [
{
"product": "open-webui",
"vendor": "open-webui",
"versions": [
{
"status": "affected",
"version": "\u003c 0.6.37"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.6.37, a Server-Side Request Forgery (SSRF) vulnerability in Open WebUI allows any authenticated user to force the server to make HTTP requests to arbitrary URLs. This can be exploited to access cloud metadata endpoints (AWS/GCP/Azure), scan internal networks, access internal services behind firewalls, and exfiltrate sensitive information. No special permissions beyond basic authentication are required. This vulnerability is fixed in 0.6.37."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "CWE-918: Server-Side Request Forgery (SSRF)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T19:55:13.228Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/open-webui/open-webui/security/advisories/GHSA-c6xv-rcvw-v685"
},
{
"name": "https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/open-webui/open-webui/commit/02238d3113e966c353fce18f1b65117380896774"
}
],
"source": {
"advisory": "GHSA-c6xv-rcvw-v685",
"discovery": "UNKNOWN"
},
"title": "Open WebUI vulnerable to Server-Side Request Forgery (SSRF) via Arbitrary URL Processing in /api/v1/retrieval/process/web"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65958",
"datePublished": "2025-12-04T19:55:13.228Z",
"dateReserved": "2025-11-18T16:14:56.693Z",
"dateUpdated": "2025-12-04T19:55:13.228Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65945 (GCVE-0-2025-65945)
Vulnerability from cvelistv5 – Published: 2025-12-04 18:45 – Updated: 2025-12-04 18:45
VLAI?
Summary
auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1.
Severity ?
7.5 (High)
CWE
- CWE-347 - Improper Verification of Cryptographic Signature
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "node-jws",
"vendor": "auth0",
"versions": [
{
"status": "affected",
"version": "\u003c 3.2.3"
},
{
"status": "affected",
"version": "\u003e= 4.0.0, \u003c= 4.0.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "auth0/node-jws is a JSON Web Signature implementation for Node.js. In versions 3.2.2 and earlier and version 4.0.0, auth0/node-jws has an improper signature verification vulnerability when using the HS256 algorithm under specific conditions. Applications are affected when they use the jws.createVerify() function for HMAC algorithms and use user-provided data from the JSON Web Signature protected header or payload in HMAC secret lookup routines, which can allow attackers to bypass signature verification. This issue has been patched in versions 3.2.3 and 4.0.1."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-347",
"description": "CWE-347: Improper Verification of Cryptographic Signature",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T18:45:37.517Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/auth0/node-jws/security/advisories/GHSA-869p-cjfg-cm3x"
},
{
"name": "https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/auth0/node-jws/commit/34c45b2c04434f925b638de6a061de9339c0ea2e"
}
],
"source": {
"advisory": "GHSA-869p-cjfg-cm3x",
"discovery": "UNKNOWN"
},
"title": "auth0/node-jws improper HMAC signature verification vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65945",
"datePublished": "2025-12-04T18:45:37.517Z",
"dateReserved": "2025-11-18T16:14:56.691Z",
"dateUpdated": "2025-12-04T18:45:37.517Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-62173 (GCVE-0-2025-62173)
Vulnerability from cvelistv5 – Published: 2025-12-03 23:14 – Updated: 2025-12-04 14:31
VLAI?
Summary
## Summary
Authenticated SQL Injection Vulnerability in Endpoint Module Rest API
Severity ?
CWE
- CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| FreePBX | security-reporting |
Affected:
< 16.0.41
Affected: >= 17.0.0, < 17.0.6 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-62173",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-04T14:30:41.381025Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-04T14:31:59.591Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "security-reporting",
"vendor": "FreePBX",
"versions": [
{
"status": "affected",
"version": "\u003c 16.0.41"
},
{
"status": "affected",
"version": "\u003e= 17.0.0, \u003c 17.0.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "## Summary\n\nAuthenticated SQL Injection Vulnerability in Endpoint Module Rest API"
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.6,
"baseSeverity": "HIGH",
"privilegesRequired": "HIGH",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command (\u0027SQL Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T23:14:56.066Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-q3h9-fmpr-vpfw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/FreePBX/security-reporting/security/advisories/GHSA-q3h9-fmpr-vpfw"
}
],
"source": {
"advisory": "GHSA-q3h9-fmpr-vpfw",
"discovery": "UNKNOWN"
},
"title": "Authenticated SQL Injection in Endpoint Module Rest API"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-62173",
"datePublished": "2025-12-03T23:14:56.066Z",
"dateReserved": "2025-10-07T16:12:03.426Z",
"dateUpdated": "2025-12-04T14:31:59.591Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66404 (GCVE-0-2025-66404)
Vulnerability from cvelistv5 – Published: 2025-12-03 20:40 – Updated: 2025-12-03 20:54
VLAI?
Summary
MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8.
Severity ?
6.4 (Medium)
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Flux159 | mcp-server-kubernetes |
Affected:
< 2.9.8
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66404",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T20:52:00.654811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:54:51.582Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcp-server-kubernetes",
"vendor": "Flux159",
"versions": [
{
"status": "affected",
"version": "\u003c 2.9.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MCP Server Kubernetes is an MCP Server that can connect to a Kubernetes cluster and manage it. Prior to 2.9.8, there is a security issue exists in the exec_in_pod tool of the mcp-server-kubernetes MCP Server. The tool accepts user-provided commands in both array and string formats. When a string format is provided, it is passed directly to shell interpretation (sh -c) without input validation, allowing shell metacharacters to be interpreted. This vulnerability can be exploited through direct command injection or indirect prompt injection attacks, where AI agents may execute commands without explicit user intent. This vulnerability is fixed in 2.9.8."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:40:11.046Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/Flux159/mcp-server-kubernetes/security/advisories/GHSA-wvxp-jp4w-w8wg"
},
{
"name": "https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/Flux159/mcp-server-kubernetes/commit/d091107ff92d9ffad1b3c295092f142d6578c48b"
}
],
"source": {
"advisory": "GHSA-wvxp-jp4w-w8wg",
"discovery": "UNKNOWN"
},
"title": "mcp-server-kubernetes potential security issue in exec_in_pod tool"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66404",
"datePublished": "2025-12-03T20:40:11.046Z",
"dateReserved": "2025-11-28T23:33:56.365Z",
"dateUpdated": "2025-12-03T20:54:51.582Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66293 (GCVE-0-2025-66293)
Vulnerability from cvelistv5 – Published: 2025-12-03 20:33 – Updated: 2025-12-04 01:31
VLAI?
Summary
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Severity ?
7.1 (High)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66293",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T20:52:13.771582Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:55:03.573Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/pnggroup/libpng/issues/764"
}
],
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-12-04T01:31:47.574Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/03/8"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"product": "libpng",
"vendor": "pnggroup",
"versions": [
{
"status": "affected",
"version": "\u003c 1.6.52"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng\u0027s simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng\u0027s internal state management. Upgrade to libpng 1.6.52 or later."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125: Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:33:57.086Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/pnggroup/libpng/security/advisories/GHSA-9mpm-9pxh-mg4f"
},
{
"name": "https://github.com/pnggroup/libpng/issues/764",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/issues/764"
},
{
"name": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1"
},
{
"name": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a"
}
],
"source": {
"advisory": "GHSA-9mpm-9pxh-mg4f",
"discovery": "UNKNOWN"
},
"title": "LIBPNG has an out-of-bounds read in png_image_read_composite"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66293",
"datePublished": "2025-12-03T20:33:57.086Z",
"dateReserved": "2025-11-26T23:11:46.392Z",
"dateUpdated": "2025-12-04T01:31:47.574Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66489 (GCVE-0-2025-66489)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:44 – Updated: 2025-12-03 21:48
VLAI?
Summary
Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8.
Severity ?
CWE
- CWE-303 - Incorrect Implementation of Authentication Algorithm
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66489",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:48:18.299562Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:48:27.861Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "cal.com",
"vendor": "calcom",
"versions": [
{
"status": "affected",
"version": "\u003c 5.9.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Cal.com is open-source scheduling software. Prior to 5.9.8, A flaw in the login credentials provider allows an attacker to bypass password verification when a TOTP code is provided, potentially gaining unauthorized access to user accounts. This issue exists due to problematic conditional logic in the authentication flow. This vulnerability is fixed in 5.9.8."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 9.9,
"baseSeverity": "CRITICAL",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-303",
"description": "CWE-303: Incorrect Implementation of Authentication Algorithm",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:44:35.303Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/calcom/cal.com/security/advisories/GHSA-9r3w-4j8q-pw98"
}
],
"source": {
"advisory": "GHSA-9r3w-4j8q-pw98",
"discovery": "UNKNOWN"
},
"title": "Cal.com Authentication Bypass via bad TOTP + password checks"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66489",
"datePublished": "2025-12-03T19:44:35.303Z",
"dateReserved": "2025-12-02T22:44:04.707Z",
"dateUpdated": "2025-12-03T21:48:27.861Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65097 (GCVE-0-2025-65097)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:41 – Updated: 2025-12-03 21:47
VLAI?
Summary
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65097",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:47:47.143002Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:47:55.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "romm",
"vendor": "rommapp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, an Authenticated User can delete collections belonging to other users by directly sending a DELETE request to the collection endpoint. No ownership verification is performed before deleting collections. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 7.1,
"baseSeverity": "HIGH",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:41:33.262Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rommapp/romm/security/advisories/GHSA-v7c8-f6xc-rv9g"
}
],
"source": {
"advisory": "GHSA-v7c8-f6xc-rv9g",
"discovery": "UNKNOWN"
},
"title": "Insecure Direct Object Reference (IDOR) Allows Unauthorized Deletion of User Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65097",
"datePublished": "2025-12-03T19:41:33.262Z",
"dateReserved": "2025-11-17T20:55:34.692Z",
"dateUpdated": "2025-12-03T21:47:55.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65096 (GCVE-0-2025-65096)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:39 – Updated: 2025-12-03 21:47
VLAI?
Summary
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
Severity ?
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65096",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:47:12.972345Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:47:22.189Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "romm",
"vendor": "rommapp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. Prior to 4.4.1 and 4.4.1-beta.2, users can read private collections / smart collections belonging to other users by directly accessing their IDs via API. No ownership verification or checking if the collection is public/private before returning collection data. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "CWE-284: Improper Access Control",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-639",
"description": "CWE-639: Authorization Bypass Through User-Controlled Key",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:39:53.722Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rommapp/romm/security/advisories/GHSA-5ghc-8wr3-788c"
}
],
"source": {
"advisory": "GHSA-5ghc-8wr3-788c",
"discovery": "UNKNOWN"
},
"title": "RomM Insecure Direct Object Reference (IDOR) Allows Unauthorized Access to Private Collections"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65096",
"datePublished": "2025-12-03T19:39:53.722Z",
"dateReserved": "2025-11-17T20:55:34.692Z",
"dateUpdated": "2025-12-03T21:47:22.189Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-65027 (GCVE-0-2025-65027)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:36 – Updated: 2025-12-03 21:43
VLAI?
Summary
RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2.
Severity ?
7.6 (High)
CWE
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-65027",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:42:56.659839Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:43:06.583Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "romm",
"vendor": "rommapp",
"versions": [
{
"status": "affected",
"version": "\u003c 4.4.1-beta.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "RomM (ROM Manager) allows users to scan, enrich, browse and play their game collections with a clean and responsive interface. RomM contains multiple unrestricted file upload vulnerabilities that allow authenticated users to upload malicious SVG or HTML files. When these files are accessed the browser executes embedded JavaScript, leading to stored Cross-Site Scripting (XSS) which when combined with a CSRF misconfiguration they lead to achieve full administrative account takeover, creating a rogue admin account, escalating the attacker account role to admin, and much more. This vulnerability is fixed in 4.4.1 and 4.4.1-beta.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.6,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-352",
"description": "CWE-352: Cross-Site Request Forgery (CSRF)",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "CWE-434: Unrestricted Upload of File with Dangerous Type",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:39:11.264Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rommapp/romm/security/advisories/GHSA-v3c6-w996-f7hx"
}
],
"source": {
"advisory": "GHSA-v3c6-w996-f7hx",
"discovery": "UNKNOWN"
},
"title": "RomM Chained XSS and CSRF Vulnerabilities Enable Admin Account Takeover"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-65027",
"datePublished": "2025-12-03T19:36:02.706Z",
"dateReserved": "2025-11-13T15:36:51.682Z",
"dateUpdated": "2025-12-03T21:43:06.583Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66453 (GCVE-0-2025-66453)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:31 – Updated: 2025-12-03 19:43
VLAI?
Summary
Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo > DToA.JS_dtostr > DToA.JS_dtoa > DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1.
Severity ?
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66453",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:43:43.562652Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:43:58.830Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rhino",
"vendor": "mozilla",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.8.0, \u003c 1.8.1"
},
{
"status": "affected",
"version": "\u003e= 1.7.15, \u003c 1.7.15.1"
},
{
"status": "affected",
"version": "\u003c 1.7.14.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rhino is an open-source implementation of JavaScript written entirely in Java. Prior to 1.8.1, 1.7.15.1, and 1.7.14.1, when an application passed an attacker controlled float poing number into the toFixed() function, it might lead to high CPU consumption and a potential Denial of Service. Small numbers go through this call stack: NativeNumber.numTo \u003e DToA.JS_dtostr \u003e DToA.JS_dtoa \u003e DToA.pow5mult where pow5mult attempts to raise 5 to a ridiculous power. This vulnerability is fixed in 1.8.1, 1.7.15.1, and 1.7.14.1."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 5.5,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:31:54.629Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/mozilla/rhino/security/advisories/GHSA-3w8q-xq97-5j7x"
}
],
"source": {
"advisory": "GHSA-3w8q-xq97-5j7x",
"discovery": "UNKNOWN"
},
"title": "Rhino vulnerable high CPU usage and potential DoS when passing specific numbers to toFixed() function"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66453",
"datePublished": "2025-12-03T19:31:54.629Z",
"dateReserved": "2025-12-01T18:44:35.639Z",
"dateUpdated": "2025-12-03T19:43:58.830Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66411 (GCVE-0-2025-66411)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:25 – Updated: 2025-12-03 21:42
VLAI?
Summary
Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4.
Severity ?
7.8 (High)
CWE
- CWE-532 - Insertion of Sensitive Information into Log File
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66411",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:41:56.452426Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:42:17.349Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "coder",
"vendor": "coder",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.28.0, \u003c 2.28.4"
},
{
"status": "affected",
"version": "\u003e= 2.27.0, \u003c 2.27.7"
},
{
"status": "affected",
"version": "\u003c 2.26.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Coder allows organizations to provision remote development environments via Terraform. Prior to 2.26.5, 2.27.7, and 2.28.4, Workspace Agent manifests containing sensitive values were logged in plaintext unsanitized. An attacker with limited local access to the Coder Workspace (VM, K8s Pod etc.) or a third-party system (SIEM, logging stack) could access those logs. This vulnerability is fixed in 2.26.5, 2.27.7, and 2.28.4."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-532",
"description": "CWE-532: Insertion of Sensitive Information into Log File",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:25:24.207Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coder/coder/security/advisories/GHSA-jf75-p25m-pw74"
},
{
"name": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/commit/e2a46393fce40bc630df3293c1ee66a596277289"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.26.5",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.26.5"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.27.7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.27.7"
},
{
"name": "https://github.com/coder/coder/releases/tag/v2.28.4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coder/coder/releases/tag/v2.28.4"
}
],
"source": {
"advisory": "GHSA-jf75-p25m-pw74",
"discovery": "UNKNOWN"
},
"title": "Coder logged sensitive objects unsanitized"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66411",
"datePublished": "2025-12-03T19:25:24.207Z",
"dateReserved": "2025-11-28T23:33:56.366Z",
"dateUpdated": "2025-12-03T21:42:17.349Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66406 (GCVE-0-2025-66406)
Vulnerability from cvelistv5 – Published: 2025-12-03 19:13 – Updated: 2025-12-03 21:40
VLAI?
Summary
Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0.
Severity ?
5 (Medium)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| smallstep | certificates |
Affected:
< 0.29.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66406",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:40:49.793375Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:40:59.681Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "certificates",
"vendor": "smallstep",
"versions": [
{
"status": "affected",
"version": "\u003c 0.29.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Step CA is an online certificate authority for secure, automated certificate management for DevOps. Prior to 0.29.0, there is an improper authorization check for SSH certificate revocation. This affects deployments configured with the SSHPOP provisioner. This vulnerability is fixed in 0.29.0."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:13:48.240Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/smallstep/certificates/security/advisories/GHSA-j7c9-79x7-8hpr"
}
],
"source": {
"advisory": "GHSA-j7c9-79x7-8hpr",
"discovery": "UNKNOWN"
},
"title": "Improper Authorization Check for SSH Certificate Revocation"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66406",
"datePublished": "2025-12-03T19:13:48.240Z",
"dateReserved": "2025-11-28T23:33:56.365Z",
"dateUpdated": "2025-12-03T21:40:59.681Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66222 (GCVE-0-2025-66222)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:34 – Updated: 2025-12-03 19:10
VLAI?
Summary
DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server.
Severity ?
9.7 (Critical)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| ThinkInAIXYZ | deepchat |
Affected:
< 0.5.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66222",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:10:00.682750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:10:17.039Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "deepchat",
"vendor": "ThinkInAIXYZ",
"versions": [
{
"status": "affected",
"version": "\u003c 0.5.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "DeepChat is a smart assistant uses artificial intelligence. In 0.5.0 and earlier, there is a Stored Cross-Site Scripting (XSS) vulnerability in the Mermaid diagram renderer allows an attacker to execute arbitrary JavaScript within the application context. By leveraging the exposed Electron IPC bridge, this XSS can be escalated to Remote Code Execution (RCE) by registering and starting a malicious MCP (Model Context Protocol) server."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.7,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:34:44.019Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ThinkInAIXYZ/deepchat/security/advisories/GHSA-v8v5-c872-mf8r"
},
{
"name": "https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/ThinkInAIXYZ/deepchat/commit/371ca7b42e3685aee6e3f0c61e85277ed1ff4db7"
}
],
"source": {
"advisory": "GHSA-v8v5-c872-mf8r",
"discovery": "UNKNOWN"
},
"title": "DeepChat Cross-Site Scripting(XSS) escalate to Remote Code Execution(RCE)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66222",
"datePublished": "2025-12-03T18:34:44.019Z",
"dateReserved": "2025-11-24T23:01:29.679Z",
"dateUpdated": "2025-12-03T19:10:17.039Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66220 (GCVE-0-2025-66220)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:31 – Updated: 2025-12-03 19:10
VLAI?
Summary
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy’s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\0) inside an OTHERNAME SAN value as valid matches.
Severity ?
5 (Medium)
CWE
- CWE-170 - Improper Null Termination
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| envoyproxy | envoy |
Affected:
>= 1.36.0, <= 1.36.2
Affected: >= 1.35.0, <= 1.35.6 Affected: >= 1.34.0, <= 1.34.10 Affected: <= 1.33.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66220",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:10:43.590627Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:10:53.694Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "envoy",
"vendor": "envoyproxy",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.36.0, \u003c= 1.36.2"
},
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c= 1.35.6"
},
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c= 1.34.10"
},
{
"status": "affected",
"version": "\u003c= 1.33.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy\u2019s mTLS certificate matcher for match_typed_subject_alt_names may incorrectly treat certificates containing an embedded null byte (\\0) inside an OTHERNAME SAN value as valid matches."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-170",
"description": "CWE-170: Improper Null Termination",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:31:50.389Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rwjg-c3h2-f57p"
}
],
"source": {
"advisory": "GHSA-rwjg-c3h2-f57p",
"discovery": "UNKNOWN"
},
"title": "Envoy\u2019s TLS certificate matcher for `match_typed_subject_alt_names` may incorrectly treat certificates containing an embedded null byte"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66220",
"datePublished": "2025-12-03T18:31:50.389Z",
"dateReserved": "2025-11-24T23:01:29.679Z",
"dateUpdated": "2025-12-03T19:10:53.694Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66208 (GCVE-0-2025-66208)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:25 – Updated: 2025-12-03 18:51
VLAI?
Summary
Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702.
Severity ?
CWE
- CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| CollaboraOnline | online |
Affected:
< 25.04.702
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66208",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T18:51:09.547326Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:51:19.697Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "online",
"vendor": "CollaboraOnline",
"versions": [
{
"status": "affected",
"version": "\u003c 25.04.702"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Collabora Online - Built-in CODE Server (richdocumentscode) provides a built-in server with all of the document editing features of Collabora Online. In versions prior to 25.04.702, Collabora Online has a Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy. Users of Nextcloud with Collabora Online - Built-in CODE Server app can be vulnerable to attack via proxy.php and an intermediate reverse proxy. This vulnerability is fixed in 25.04.702."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.2,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-78",
"description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:25:59.376Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/CollaboraOnline/online/security/advisories/GHSA-j3q6-q5pc-v5wf"
}
],
"source": {
"advisory": "GHSA-j3q6-q5pc-v5wf",
"discovery": "UNKNOWN"
},
"title": "Configuration-Dependent RCE (OS Command Injection) in richdocumentscode proxy"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66208",
"datePublished": "2025-12-03T18:25:59.376Z",
"dateReserved": "2025-11-24T23:01:29.677Z",
"dateUpdated": "2025-12-03T18:51:19.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-66032 (GCVE-0-2025-66032)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:16 – Updated: 2025-12-03 19:11
VLAI?
Summary
Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93.
Severity ?
CWE
- CWE-77 - Improper Neutralization of Special Elements used in a Command ('Command Injection')
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| anthropics | claude-code |
Affected:
< 1.0.93
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-66032",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:11:23.570370Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T19:11:39.067Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "claude-code",
"vendor": "anthropics",
"versions": [
{
"status": "affected",
"version": "\u003c 1.0.93"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Claude Code is an agentic coding tool. Prior to 1.0.93, Due to errors in parsing shell commands related to $IFS and short CLI flags, it was possible to bypass the Claude Code read-only validation and trigger arbitrary code execution. Reliably exploiting this requires the ability to add untrusted content into a Claude Code context window. This vulnerability is fixed in 1.0.93."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-77",
"description": "CWE-77: Improper Neutralization of Special Elements used in a Command (\u0027Command Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:16:54.335Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/anthropics/claude-code/security/advisories/GHSA-xq4m-mc3c-vvg3"
}
],
"source": {
"advisory": "GHSA-xq4m-mc3c-vvg3",
"discovery": "UNKNOWN"
},
"title": "Claude Code Command Validation Bypass Allows Arbitrary Code Execution"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-66032",
"datePublished": "2025-12-03T18:16:54.335Z",
"dateReserved": "2025-11-21T01:08:02.614Z",
"dateUpdated": "2025-12-03T19:11:39.067Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64763 (GCVE-0-2025-64763)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:13 – Updated: 2025-12-03 20:02
VLAI?
Summary
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel.
Severity ?
CWE
- CWE-693 - Protection Mechanism Failure
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| envoyproxy | envoy |
Affected:
>= 1.36.0, <= 1.36.2
Affected: >= 1.35.0, <= 1.35.6 Affected: >= 1.34.0, <= 1.34.10 Affected: <= 1.33.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64763",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T19:57:09.650775Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:02:40.284Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "envoy",
"vendor": "envoyproxy",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.36.0, \u003c= 1.36.2"
},
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c= 1.35.6"
},
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c= 1.34.10"
},
{
"status": "affected",
"version": "\u003c= 1.33.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, when Envoy is configured in TCP proxy mode to handle CONNECT requests, it accepts client data before issuing a 2xx response and forwards that data to the upstream TCP connection. If a forwarding proxy upstream from Envoy then responds with a non-2xx status, this can cause a de-synchronized CONNECT tunnel state. By default Envoy continues to allow early CONNECT data to avoid disrupting existing deployments. The envoy.reloadable_features.reject_early_connect_data runtime flag can be set to reject CONNECT requests that send data before a 2xx response when intermediaries upstream from Envoy may reject establishment of a CONNECT tunnel."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-693",
"description": "CWE-693: Protection Mechanism Failure",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:13:58.496Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-rj35-4m94-77jh"
}
],
"source": {
"advisory": "GHSA-rj35-4m94-77jh",
"discovery": "UNKNOWN"
},
"title": "Envoy forwards early CONNECT data in TCP proxy mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64763",
"datePublished": "2025-12-03T18:13:58.496Z",
"dateReserved": "2025-11-10T22:29:34.876Z",
"dateUpdated": "2025-12-03T20:02:40.284Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64527 (GCVE-0-2025-64527)
Vulnerability from cvelistv5 – Published: 2025-12-03 18:04 – Updated: 2025-12-03 20:18
VLAI?
Summary
Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token's JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback's reset() then clears the second fetch's state (receiver_ and request_) which causes a crash when the async HTTP response arrives.
Severity ?
6.5 (Medium)
CWE
- CWE-476 - NULL Pointer Dereference
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| envoyproxy | envoy |
Affected:
>= 1.36.0, <= 1.36.2
Affected: >= 1.35.0, <= 1.35.6 Affected: >= 1.34.0, <= 1.34.10 Affected: <= 1.33.12 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64527",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T20:18:07.790264Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T20:18:19.588Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "envoy",
"vendor": "envoyproxy",
"versions": [
{
"status": "affected",
"version": "\u003e= 1.36.0, \u003c= 1.36.2"
},
{
"status": "affected",
"version": "\u003e= 1.35.0, \u003c= 1.35.6"
},
{
"status": "affected",
"version": "\u003e= 1.34.0, \u003c= 1.34.10"
},
{
"status": "affected",
"version": "\u003c= 1.33.12"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Envoy is a high-performance edge/middle/service proxy. In 1.33.12, 1.34.10, 1.35.6, 1.36.2, and earlier, Envoy crashes when JWT authentication is configured with the remote JWKS fetching, allow_missing_or_failed is enabled, multiple JWT tokens are present in the request headers and the JWKS fetch fails. This is caused by a re-entry bug in the JwksFetcherImpl. When the first token\u0027s JWKS fetch fails, onJwksError() callback triggers processing of the second token, which calls fetch() again on the same fetcher object. The original callback\u0027s reset() then clears the second fetch\u0027s state (receiver_ and request_) which causes a crash when the async HTTP response arrives."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-476",
"description": "CWE-476: NULL Pointer Dereference",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:04:35.160Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mp85-7mrq-r866"
}
],
"source": {
"advisory": "GHSA-mp85-7mrq-r866",
"discovery": "UNKNOWN"
},
"title": "Envoy crashes when JWT authentication is configured with the remote JWKS fetching"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64527",
"datePublished": "2025-12-03T18:04:35.160Z",
"dateReserved": "2025-11-05T21:15:39.401Z",
"dateUpdated": "2025-12-03T20:18:19.588Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-64443 (GCVE-0-2025-64443)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:41 – Updated: 2025-12-03 18:14
VLAI?
Summary
MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue.
Severity ?
CWE
- CWE-749 - Exposed Dangerous Method or Function
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| docker | mcp-gateway |
Affected:
< 0.28.0
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-64443",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T18:12:16.672750Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T18:14:24.648Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "mcp-gateway",
"vendor": "docker",
"versions": [
{
"status": "affected",
"version": "\u003c 0.28.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MCP Gateway allows easy and secure running and deployment of MCP servers. In versions 0.27.0 and earlier, when MCP Gateway runs in sse or streaming transport mode, it is vulnerable to DNS rebinding. An attacker who can get a victim to visit a malicious website or be served a malicious advertisement can perform browser-based exploitation of MCP servers executing behind the gateway, including manipulating tools or other features exposed by those MCP servers. MCP Gateway is not affected when running in the default stdio mode, which does not listen on network ports. Version 0.28.0 fixes this issue."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "PASSIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:H/VA:N/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-749",
"description": "CWE-749: Exposed Dangerous Method or Function",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:41:59.272Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/docker/mcp-gateway/security/advisories/GHSA-46gc-mwh4-cc5r"
},
{
"name": "https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/docker/mcp-gateway/commit/6b076b2479d8d1345c50c112119c62978d46858e"
}
],
"source": {
"advisory": "GHSA-46gc-mwh4-cc5r",
"discovery": "UNKNOWN"
},
"title": "DNS Rebinding vulnerability present when running MCP Gateway in sse or streaming mode"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-64443",
"datePublished": "2025-12-03T17:41:59.272Z",
"dateReserved": "2025-11-03T22:12:51.366Z",
"dateUpdated": "2025-12-03T18:14:24.648Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-54065 (GCVE-0-2025-54065)
Vulnerability from cvelistv5 – Published: 2025-12-03 17:02 – Updated: 2025-12-03 21:39
VLAI?
Summary
GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution.
Severity ?
7.8 (High)
CWE
- CWE-913 - Improper Control of Dynamically-Managed Code Resources
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-54065",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:39:32.116409Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:39:49.369Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "gzdoom",
"vendor": "ZDoom",
"versions": [
{
"status": "affected",
"version": "\u003c= 4.14.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GZDoom is a feature centric port for all Doom engine games. GZDoom is an open source Doom engine. In versions 4.14.2 and earlier, ZScript actor state handling allows scripts to read arbitrary addresses, write constants into the JIT-compiled code section, and redirect control flow through crafted FState and VMFunction structures. A script can copy FState structures into a writable buffer, modify function pointers and state transitions, and cause execution of attacker-controlled bytecode, leading to arbitrary code execution."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "NONE",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "CWE-913: Improper Control of Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T17:02:56.603Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ZDoom/gzdoom/security/advisories/GHSA-prhc-chfw-32jg"
}
],
"source": {
"advisory": "GHSA-prhc-chfw-32jg",
"discovery": "UNKNOWN"
},
"title": "GZDoom engine allows arbitrary code execution via ZScript actor states"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-54065",
"datePublished": "2025-12-03T17:02:56.603Z",
"dateReserved": "2025-07-16T13:22:18.204Z",
"dateUpdated": "2025-12-03T21:39:49.369Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32643 (GCVE-0-2024-32643)
Vulnerability from cvelistv5 – Published: 2025-12-03 16:43 – Updated: 2025-12-03 21:25
VLAI?
Summary
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Severity ?
7.5 (High)
CWE
- CWE-863 - Incorrect Authorization
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32643",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T21:25:43.095337Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T21:25:54.239Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.6"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.13"
},
{
"status": "affected",
"version": "\u003c 7.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, if the URL to the page is modified to include a /tag/ declaration, the CMS will render the page regardless of group restrictions. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-863",
"description": "CWE-863: Incorrect Authorization",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:43:31.983Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-f469-jh82-97fv"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/d1a2e57ef8dbc50c87b178eacc85fcccb05f5b6c"
}
],
"source": {
"advisory": "GHSA-f469-jh82-97fv",
"discovery": "UNKNOWN"
},
"title": "Masa CMS vulnerable to authentication bypass with /tag/"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32643",
"datePublished": "2025-12-03T16:43:31.983Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T21:25:54.239Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-32642 (GCVE-0-2024-32642)
Vulnerability from cvelistv5 – Published: 2025-12-03 16:37 – Updated: 2025-12-03 16:50
VLAI?
Summary
Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6.
Severity ?
8.8 (High)
CWE
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2024-32642",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-03T16:50:28.932386Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:50:44.007Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MasaCMS",
"vendor": "MasaCMS",
"versions": [
{
"status": "affected",
"version": "\u003e= 7.4.0, \u003c 7.4.6"
},
{
"status": "affected",
"version": "\u003e= 7.3.0, \u003c 7.3.13"
},
{
"status": "affected",
"version": "\u003c 7.2.8"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Masa CMS is an open source Enterprise Content Management platform. Prior to 7.2.8, 7.3.13, and 7.4.6, there is vulnerable to host header poisoning which allows account takeover via password reset email. This vulnerability is fixed in 7.2.8, 7.3.13, and 7.4.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-346",
"description": "CWE-346: Origin Validation Error",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-640",
"description": "CWE-640: Weak Password Recovery Mechanism for Forgotten Password",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-12-03T16:37:53.409Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MasaCMS/MasaCMS/security/advisories/GHSA-qjm6-c8hx-ffh8"
},
{
"name": "https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MasaCMS/MasaCMS/commit/7541b9c99fb9e32d1de6f2658750525cec1d8960"
}
],
"source": {
"advisory": "GHSA-qjm6-c8hx-ffh8",
"discovery": "UNKNOWN"
},
"title": "Host header poisoning allows account takeover via password reset email"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2024-32642",
"datePublished": "2025-12-03T16:37:53.409Z",
"dateReserved": "2024-04-16T14:15:26.874Z",
"dateUpdated": "2025-12-03T16:50:44.007Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}