Development

CVE ID : CVE-2025-32952

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : Jmix is a set of libraries and tools to speed up Spring Boot data-centric application development. In versions 1.0.0 to 1.6.1 and 2.0.0 to 2.3.4, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in versions 1.6.2 and 2.4.0. A workaround is provided on the Jmix documentation website.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32959

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : CUBA Platform is a high level framework for enterprise applications development. Prior to version 7.2.23, the local file storage implementation does not restrict the size of uploaded files. An attacker could exploit this by uploading excessively large files, potentially causing the server to run out of space and return HTTP 500 error, resulting in a denial of service. This issue has been patched in version 7.2.23. A workaround is provided on the Jmix documentation website.

Severity: 6.5 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32960

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : The CUBA REST API add-on performs operations on data and entities. Prior to version 7.2.7, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 7.2.7. A workaround is provided on the Jmix documentation website.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32961

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : The Cuba JPA web API enables loading and saving any entities defined in the application data model by sending simple HTTP requests. Prior to version 1.1.1, the input parameter, which consists of a file path and name, can be manipulated to return the Content-Type header with text/html if the name part ends with .html. This could allow malicious JavaScript code to be executed in the browser. For a successful attack, a malicious file needs to be uploaded beforehand. This issue has been patched in version 1.1.1. A workaround is provided on the Jmix documentation website.

Severity: 6.4 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32963

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : MinIO Operator STS is a native IAM Authentication for Kubernetes. Prior to version 7.1.0, if no audiences are provided for the `spec.audiences` field, the default will be of the Kubernetes apiserver. Without scoping, it can be replayed to other internal systems, which may unintentionally trust it. This issue has been patched in version 7.1.0.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-32964

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : ManageWiki is a MediaWiki extension allowing users to manage wikis. Prior to commit 00bebea, when enabling a conflicting extension, a restricted extension would be automatically disabled even if the user did not hold the ManageWiki-restricted right. This issue has been patched in commit 00bebea. A workaround involves ensuring that any extensions requiring specific permissions in `$wgManageWikiExtensions` also require the same permissions for managing any conflicting extensions.

Severity: 4.6 | MEDIUM

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43947

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : Codemers KLIMS 1.6.DEV lacks a proper access control mechanism, allowing a normal KLIMS user to perform all the actions that an admin can perform, such as modifying the configuration, creating a user, uploading files, etc.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43946

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : TCPWave DDI 11.34P1C2 allows Remote Code Execution via Unrestricted File Upload (combined with Path Traversal).

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43948

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : Codemers KLIMS 1.6.DEV allows Python code injection. A user can provide Python code as an input value for a parameter or qualifier (such as for sorting), which will get executed on the server side.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43949

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : MuM (aka Mensch und Maschine) MapEdit (aka mapedit-web) 24.2.3 is vulnerable to SQL Injection that allows an attacker to execute malicious SQL statements that control a web application’s database server.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43950

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : DPMAdirektPro 4.1.5 is vulnerable to DLL Hijacking. It happens by placing a malicious DLL in a directory (in the absence of a legitimate DLL), which is then loaded by the application instead of the legitimate DLL. This causes the malicious DLL to load with the same privileges as the application, thus causing a privilege escalation.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43952

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : A cross-site scripting (reflected XSS) vulnerability was found in Mettler Toledo FreeWeight.Net Web Reports Viewer 8.4.0 (440). It allows an attacker to inject malicious scripts via the IW_SessionID_ parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-43951

Published : April 22, 2025, 6:16 p.m. | 31 minutes ago

Description : LabVantage before LV 8.8.0.13 HF6 allows local file inclusion. Authenticated users can retrieve arbitrary files from the environment via the objectname request parameter.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

Update PyTorch ASAP | Kaspersky official blog

vulnerability
Researchers have found a way to exploit a security mechanism in a popular machine-learning framework.
April 22, 2025
A researcher has discovered a vulnerability in PyTorch – an open-sour …
Read more

Published Date:
Apr 22, 2025 (2 hours, 48 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-32434

CVE-2018-8611

New Rust Botnet Hijacking Routers to Inject Commands Remotely

A sophisticated new botnet malware written in the Rust programming language has been discovered targeting vulnerable router devices worldwide.
Dubbed “RustoBot” due to its Rust-based implementation, t …
Read more

Published Date:
Apr 22, 2025 (2 hours, 22 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2024-12987

PoC exploit for critical Erlang/OTP SSH bug is public (CVE-2025-32433)

There are now several public proof-of-concept (PoC) exploits for a maximum-severity vulnerability in the Erlang/OTP SSH server (CVE-2025-32433) unveiled last week.
“All users running an SSH server bas …
Read more

Published Date:
Apr 22, 2025 (1 hour, 23 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-32433

CVE-2021-20035

Russian Host Proton66 Tied to SuperBlack and WeaXor Ransomware

Threat actors are exploiting bulletproof hosting service Proton66 for malicious activities, including campaigns from SuperBlack ransomware operators, Android malware distribution via hacked WordPress, …
Read more

Published Date:
Apr 22, 2025 (1 hour, 6 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-0108

CVE-2024-10914

CVE-2024-41713

DOGE Big Balls Ransomware Outlook

DOGE Big Balls Ransomware is an advanced cyber extortion campaign that uniquely blends technical exploitation, misdirection tactics, and reputational attacks to confuse victims and security analysts a …
Read more

Published Date:
Apr 22, 2025 (55 minutes ago)

Vulnerabilities has been mentioned in this article.

CVE-2025-32445

CVE-2025-24054

CVE-2015-2291

CVE ID : CVE-2025-1863

Published : April 18, 2025, 6:15 a.m. | 4 days, 7 hours ago

Description : Insecure default settings have been found in recorder products provided by Yokogawa Electric Corporation. The default setting of the authentication function is disabled on the affected products. Therefore, when connected to a network with default settings, anyone can access all functions related to settings and operations. As a result, an attacker can illegally manipulate and configure important data such as measured values and settings.
This issue affects GX10 / GX20 / GP10 / GP20 Paperless Recorders: R5.04.01 or earlier; GM Data Acquisition System: R5.05.01 or earlier; DX1000 / DX2000 / DX1000N Paperless Recorders: R4.21 or earlier; FX1000 Paperless Recorders: R1.31 or earlier; μR10000 / μR20000 Chart Recorders: R1.51 or earlier; MW100 Data Acquisition Units: All versions; DX1000T / DX2000T Paperless Recorders: All versions; CX1000 / CX2000 Paperless Recorders: All versions.

Severity: 9.8 | CRITICAL

Visit the link for more details, such as CVSS details, affected products, timeline, and more…

CVE ID : CVE-2025-3785

Published : April 18, 2025, 9:15 a.m. | 4 days, 4 hours ago

Description : A vulnerability has been found in D-Link DWR-M961 1.1.36 and classified as critical. This vulnerability affects unknown code of the file /boafrm/formStaticDHCP of the component Authorization Interface. The manipulation of the argument Hostname leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Upgrading to version 1.1.49 is able to address this issue. It is recommended to upgrade the affected component.

Severity: 8.8 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more…