CVE-2025-49588 – Linkwarden File Path Injection Vulnerability

CVE ID : CVE-2025-49588

Published : July 2, 2025, 2:15 p.m. | 1 hour, 1 minute ago

Description : Linkwarden is a self-hosted, open-source collaborative bookmark manager to collect, organize and archive webpages. In version 2.10.2, the server accepts links of format file:///etc/passwd and doesn’t do any validation before sending them to parsers and playwright, this can result in leak of other user’s links (and in some cases it might be possible to leak environment secrets). This issue has been patched in version 2.10.3 which has not been made public at time of publication.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE-2025-53106 – Graylog API Token Privilege Escalation Vulnerability

CVE ID : CVE-2025-53106

Published : July 2, 2025, 2:15 p.m. | 1 hour, 1 minute ago

Description : Graylog is a free and open log management platform. In versions 6.2.0 to before 6.2.4 and 6.3.0-alpha.1 to before 6.3.0-rc.2, Graylog users can gain elevated privileges by creating and using API tokens for the local Administrator or any other user for whom the malicious user knows the ID. For the attack to succeed, the attacker needs a user account in Graylog. They can then proceed to issue hand-crafted requests to the Graylog REST API and exploit a weak permission check for token creation. This issue has been patched in versions 6.2.4 and 6.3.0-rc.2. A workaround involves disabling the respective configuration found in System > Configuration > Users > “Allow users to create personal access tokens”.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…