CVE-2025-46559 – Misskey AiScript Cross-Site Request Forgery (CSRF)

May 5, 2025

CVE ID : CVE-2025-46559

Published : May 5, 2025, 7:15 p.m. | 18 minutes ago

Description : Misskey is an open source, federated social media platform. Starting in version 12.31.0 and prior to version 2025.4.1, missing validation in `Mk:api` allows malicious AiScript code to access additional endpoints that it isn’t designed to have access to. The missing validation allows malicious AiScript code to prefix a URL with `../` to step out of the `/api` directory, thereby being able to make requests to other endpoints, such as `/files`, `/url`, and `/proxy`. Version 2025.4.1 fixes the issue.

Severity: 5.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Source: Read More

Previous ArticleCVE-2025-43850 – Apache Retrieval-Based Voice Conversion WebUI Remote Code Execution

Next Article CVE-2025-46553 – Misskey/summaly Allow Redirects Bypass Vulnerability

Highlights

CVE-2025-3594 – Liferay Portal Xuggler Path Traversal Remote File Inclusion

June 16, 2025

CVE ID : CVE-2025-3594

Published : June 16, 2025, 3:15 p.m. | 3 hours, 6 minutes ago

Description : Path traversal vulnerability with the downloading and installation of Xuggler in Liferay Portal 7.0.0 through 7.4.3.4, and Liferay DXP 7.4 GA, 7.3 GA through update 34, and older unsupported versions allows remote attackers to (1) add files to arbitrary locations on the server and (2) download and execute arbitrary files from the download server via the `_com_liferay_server_admin_web_portlet_ServerAdminPortlet_jarName` parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

10 Ways Node.js Development Boosts AI & Real-Time Data (2025-2026 Edition)

Looking to Outsource React.js Development? Here’s What Top Agencies Are Doing Right

Beyond The Hype: What AI Can Really Do For Product Design

BrowserStack launches Chrome extension that bundles 10+ manual web testing tools

How much RAM does your Linux PC really need in 2025?

Have solar at home? Supercharge that investment with this other crucial component

I replaced my MacBook charger with this compact wall unit – and wish I’d done it sooner

5 reasons to switch to an immutable Linux distro today – and which to try first

Sentry Adds Logs Support for Laravel Apps

Sentry Adds Logs Support for Laravel Apps

Efficient Context Management with Laravel’s Remember Functions

Laravel Devtoolbox: Your Swiss Army Knife Artisan CLI

From plateau predictions to buggy rollouts — Bill Gates’ GPT-5 skepticism looks strangely accurate

From plateau predictions to buggy rollouts — Bill Gates’ GPT-5 skepticism looks strangely accurate

We gave OpenAI’s open-source AI a kid’s test — here’s what happened

With GTA 6, next-gen exclusives, and a console comeback on the horizon, Xbox risks sitting on the sidelines — here’s why

CVE-2025-46559 – Misskey AiScript Cross-Site Request Forgery (CSRF)

Workday Staff Fall to Social Engineering; Hackers Access Third-Party CRM Platform

Get Ready for the Black Hat USA 2025 CISO Podcast Series from The Cyber Express and Suraksha Catalyst

Think DeepSeek has cut AI spending? Think again

CVE-2025-21479 – NVIDIA GPU Unauthenticated Command Execution Vulnerability

CVE-2023-5600 – GitLab EE Information Disclosure Vulnerability

Modeling Speech Emotion With Label Variance and Analyzing Performance Across Speakers and Unseen Acoustic Conditions

CVE-2025-3594 – Liferay Portal Xuggler Path Traversal Remote File Inclusion

Java at 30: How a language designed for a failed gadget became a global powerhouse

My favorite bike computer just got more affordable but with just as many safety features

CVE-2025-54026 – QuanticaLabs GymBase Theme Classes SQL Injection

CVE-2025-46559 – Misskey AiScript Cross-Site Request Forgery (CSRF)

Related Posts