Executive Summary CVE-2025-31132 is a critical vulnerability affecting Raven, an open-source messaging platform. This vulnerability allows a logged-in user to execute arbitrary code on the server via a specific API endpoint due to improper input validation. The vulnerability has a CVSS v3.1 score of 8.1, indicating a high
Executive Summary CVE-2025-2071 describes a critical OS Command Injection vulnerability affecting the FAST LTA Silent Brick WebUI. This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the underlying Linux system. The root cause lies in the insufficient sanitization of user-supplied input passed to system-level commands via
Executive Summary CVE-2025-2825 is a critical vulnerability affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to the CrushFTP server. The root cause lies in improper authentication handling,
Executive Summary CVE-2025-29928 describes a critical vulnerability in authentik, an open-source identity provider. When authentik is configured to use database session storage (a non-default configuration), deleting user sessions through the web interface or API does not effectively revoke those sessions. Consequently, users whose sessions should have been terminated retain unauthorized
Executive Summary CVE-2025-30367 is a critical SQL Injection vulnerability affecting WeGIA, a web manager for charitable institutions. The vulnerability resides in the nextPage parameter of the /WeGIA/controle/control.php endpoint. Unauthenticated attackers can exploit this flaw to manipulate SQL queries, potentially gaining access to sensitive database information, including table
Executive Summary CVE-2025-30358 describes a class pollution vulnerability affecting Mesop, a Python-based UI framework. Versions prior to 0.14.1 are susceptible to attackers overwriting global variables and class attributes in specific Mesop modules during runtime. This can lead to denial-of-service (DoS) attacks and, potentially, jailbreak attacks when interacting with
Executive Summary CVE-2025-27405 is a cross-site scripting (XSS) vulnerability affecting Icinga Web 2, a widely used open-source monitoring web interface. This vulnerability allows an attacker to inject arbitrary JavaScript code into the Icinga Web 2 interface by crafting a malicious URL. If a user clicks on this crafted URL, the
Executive Summary CVE-2025-22230 describes an authentication bypass vulnerability affecting VMware Tools for Windows. This vulnerability stems from improper access control within the affected versions. A local, non-administrative user within a guest virtual machine (VM) can exploit this flaw to perform actions that should require elevated privileges. The CVSS score of
Introduction On March 24, 2025, a set of critical security vulnerabilities known collectively as "IngressNightmare" were disclosed in the Ingress NGINX Controller for Kubernetes. These vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) affect the admission controller component and could allow attackers to execute code remotely without authentication. This technical
Executive Summary CVE-2025-29778 is a security vulnerability affecting Kyverno, a policy engine designed for Kubernetes. This vulnerability allows attackers to bypass intended authorization controls by exploiting the fact that Kyverno versions prior to 1.14.0-alpha.1 incorrectly ignore the subjectRegExp and IssuerRegExp fields during keyless signature verification. This oversight
Executive Summary CVE-2025-2691 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the nossrf Node.js package prior to 1.0.4. This vulnerability allows an attacker to bypass the intended SSRF protection mechanism by providing a hostname that resolves to a local or reserved IP address. Successful
Executive Summary CVE-2025-29927 is a critical vulnerability affecting Next.js applications that utilize middleware for authorization. This vulnerability allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header in HTTP requests. Successful exploitation can lead to unauthorized access to protected routes and resources. The vulnerability is fixed in Next.