ftp
Executive Summary CVE-2025-2825 is a critical vulnerability affecting CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0. This vulnerability allows unauthenticated remote attackers to bypass authentication and gain unauthorized access to the CrushFTP server. The root cause lies in improper authentication handling,
Identity
Executive Summary CVE-2025-29928 describes a critical vulnerability in authentik, an open-source identity provider. When authentik is configured to use database session storage (a non-default configuration), deleting user sessions through the web interface or API does not effectively revoke those sessions. Consequently, users whose sessions should have been terminated retain unauthorized
SQLi
Executive Summary CVE-2025-30367 is a critical SQL Injection vulnerability affecting WeGIA, a web manager for charitable institutions. The vulnerability resides in the nextPage parameter of the /WeGIA/controle/control.php endpoint. Unauthenticated attackers can exploit this flaw to manipulate SQL queries, potentially gaining access to sensitive database information, including table
Dos
Executive Summary CVE-2025-30358 describes a class pollution vulnerability affecting Mesop, a Python-based UI framework. Versions prior to 0.14.1 are susceptible to attackers overwriting global variables and class attributes in specific Mesop modules during runtime. This can lead to denial-of-service (DoS) attacks and, potentially, jailbreak attacks when interacting with
xss
Executive Summary CVE-2025-27405 is a cross-site scripting (XSS) vulnerability affecting Icinga Web 2, a widely used open-source monitoring web interface. This vulnerability allows an attacker to inject arbitrary JavaScript code into the Icinga Web 2 interface by crafting a malicious URL. If a user clicks on this crafted URL, the
vmware
Executive Summary CVE-2025-22230 describes an authentication bypass vulnerability affecting VMware Tools for Windows. This vulnerability stems from improper access control within the affected versions. A local, non-administrative user within a guest virtual machine (VM) can exploit this flaw to perform actions that should require elevated privileges. The CVSS score of
Kubernetes
Introduction On March 24, 2025, a set of critical security vulnerabilities known collectively as "IngressNightmare" were disclosed in the Ingress NGINX Controller for Kubernetes. These vulnerabilities (CVE-2025-1097, CVE-2025-1098, CVE-2025-24514, and CVE-2025-1974) affect the admission controller component and could allow attackers to execute code remotely without authentication. This technical
Kubernetes
Executive Summary CVE-2025-29778 is a security vulnerability affecting Kyverno, a policy engine designed for Kubernetes. This vulnerability allows attackers to bypass intended authorization controls by exploiting the fact that Kyverno versions prior to 1.14.0-alpha.1 incorrectly ignore the subjectRegExp and IssuerRegExp fields during keyless signature verification. This oversight
ssrf
Executive Summary CVE-2025-2691 describes a critical Server-Side Request Forgery (SSRF) vulnerability affecting versions of the nossrf Node.js package prior to 1.0.4. This vulnerability allows an attacker to bypass the intended SSRF protection mechanism by providing a hostname that resolves to a local or reserved IP address. Successful
Web
Executive Summary CVE-2025-29927 is a critical vulnerability affecting Next.js applications that utilize middleware for authorization. This vulnerability allows attackers to bypass authorization checks by manipulating the x-middleware-subrequest header in HTTP requests. Successful exploitation can lead to unauthorized access to protected routes and resources. The vulnerability is fixed in Next.
Web
Executive Summary CVE-2025-29914 describes a vulnerability in OWASP Coraza Web Application Firewall (WAF) versions prior to 3.3.3. This vulnerability arises from a parser confusion issue when handling URIs that begin with double slashes (//). Due to this confusion, the REQUEST_FILENAME variable, which is crucial for rule matching, is
Kubernetes
Executive Summary CVE-2025-29922 describes an authorization bypass vulnerability in kcp, a Kubernetes-like control plane. This flaw allows an attacker with low privileges to create or delete objects in arbitrary target workspaces through the APIExport VirtualWorkspace, even without proper APIBinding authorization. This bypass occurs because the APIExport VirtualWorkspace lacks a binding