Executive Summary CVE-2025-24358 describes a Cross-Site Request Forgery (CSRF) vulnerability affecting the gorilla/csrf Go package. This vulnerability arises from a flaw in the Referer header validation logic, specifically how the package determines if a request is served over TLS. Due to the r.URL.Scheme value not being populated
Executive Summary CVE-2025-32428 describes a security vulnerability in jupyter-remote-desktop-proxy version 3.0.0. When configured with TigerVNC, the VNC server was unintentionally accessible via the network, rather than solely through a UNIX socket as intended. This could allow unauthorized network access to the VNC server. The vulnerability is resolved in
Executive Summary CVE-2024-58136 is a critical vulnerability affecting the Yii Framework 2, specifically versions prior to 2.0.52. This vulnerability stems from improper handling of behavior attachment when the behavior is defined using the __class array key. It's a regression of CVE-2024-4990 and was actively exploited in
Executive Summary CVE-2025-32375 describes a critical vulnerability in BentoML's runner server, stemming from insecure deserialization. By crafting malicious POST requests with specific headers, an attacker can achieve Remote Code Execution (RCE) on the server. This allows for unauthorized arbitrary code execution, potentially leading to initial access, information disclosure,
Executive Summary CVE-2025-3248 is a critical code injection vulnerability affecting Langflow versions prior to 1.3.0. This vulnerability allows a remote, unauthenticated attacker to execute arbitrary code on the server by sending crafted HTTP requests to the /api/v1/validate/code endpoint. With a CVSS score of 9.8,
Executive Summary CVE-2025-2945 is a critical Remote Code Execution (RCE) vulnerability affecting pgAdmin 4, a web-based management tool for PostgreSQL databases. The vulnerability stems from the unsafe use of the eval() function in Python, allowing attackers to execute arbitrary code on the server. Specifically, two POST endpoints, /sqleditor/query_tool/
RCE
Executive Summary CVE-2024-12029 is a critical remote code execution (RCE) vulnerability affecting InvokeAI versions 5.3.1 through 5.4.2. This vulnerability stems from the unsafe deserialization of model files using torch.load without proper validation within the /api/v2/models/install API endpoint. An attacker can exploit this
Executive Summary CVE-2025-31481 is a critical vulnerability affecting API Platform Core versions prior to 4.0.22. This vulnerability allows attackers to bypass configured security measures on GraphQL query operations by leveraging the Relay special node type. The root cause lies in the improper handling of Relay node identification, leading
RCE
Executive Summary CVE-2025-27520 is a critical vulnerability affecting BentoML, a Python library for building AI application serving systems. This vulnerability allows unauthenticated attackers to execute arbitrary code on the server due to insecure deserialization of untrusted data. Specifically, the vulnerability resides in the serde.py module and is triggered when
Executive Summary CVE-2025-30065 is a critical vulnerability affecting the parquet-avro module of Apache Parquet Java. This vulnerability, classified as a deserialization of untrusted data flaw (CWE-502), allows unauthenticated remote attackers to execute arbitrary code on systems processing maliciously crafted Parquet files. The vulnerability exists in versions 1.15.0 and
Executive Summary CVE-2025-31132 is a critical vulnerability affecting Raven, an open-source messaging platform. This vulnerability allows a logged-in user to execute arbitrary code on the server via a specific API endpoint due to improper input validation. The vulnerability has a CVSS v3.1 score of 8.1, indicating a high
injection
Executive Summary CVE-2025-2071 describes a critical OS Command Injection vulnerability affecting the FAST LTA Silent Brick WebUI. This vulnerability allows unauthenticated remote attackers to execute arbitrary operating system commands on the underlying Linux system. The root cause lies in the insufficient sanitization of user-supplied input passed to system-level commands via