Latest Security Vulnerabilities

Saturday December 27, 2025

 

Unclassified

CVE-2025-68948 SiYuan Pre-3.5.1 Session Store Hardcoded Crypto Secret
CVE-2025-15106 Improper Auth in getmaxun <=0.0.28 via router.get (CVE-2025-15106)
CVE-2025-15107 actiontech sqle 4.2511.0 JWT Secret Handler Hardcoded Key
CVE-2025-68927 LibreDesk 0.8.6-beta: Stored HTML Injection in Contact Notes
CVE-2025-59946 Heap UAF in NanoMQ MQTT Broker <0.24.2
CVE-2025-54322 Root RCE via Base64-encoded Py in Xspeeder SXZOS chkid param
CVE-2025-68952 Eigent 0.0.60 RCE via 1click exec
CVE-2025-15105 Getmaxun maxun <0.0.28: Hardcoded crypto key via api_key
CVE-2025-66737 Directory Traversal in Yealink T21P_E2 Phone 52.84.0.15 Diagnostic Function
And others...

Friday December 26, 2025

IBM Aspera Faspex 5

CVE-2025-36229 IBM Aspera Faspex 5 Authenticated Package ID Enumeration (v5.0.0-5.0.14.1)
CVE-2025-36228 IBM Aspera Faspex 5 5.0.05.0.14.1 UI/API Permission Leak
CVE-2025-36230 IBM Aspera Faspex 5 5.0.0-5.0.14.1 HTML Injection

IBM Ds8900f Firmware

CVE-2025-36192 IBM DS8000 R10.x Local CCW Update Perm Allows Backup Deletion (CVE-2025-36192)

IBM Concert

CVE-2025-1721 IBM Concert 1.0.0-2.1.0 Remote Heap Memory Disclosure via Improper Clearing
CVE-2025-64645 IBM Concert 2.1.0 Local Priv Esc via Symlink Race
CVE-2025-12771 IBM Concert 1.0.0-2.1.0 Stack-Based Buffer Overflow (buf overrun)

IBM Api Connect

CVE-2025-13915 IBM API Connect 10.0.8.010.0.8.5/10.0.11.0: Auth Bypass Remote

Gitea

CVE-2025-68940 Gitea 1.22.5: Branch Deletion Permissions Not Properly Enforced
CVE-2025-68939 Gitea <1.23.0: Attachment API Bypasses Forbidden Extension Check
CVE-2025-68941 Gitea <1.22.3: Limited-API-token can read private resources
CVE-2025-68942 Gitea <1.22.2 XSS: search box uses v-html (v-text missing)
CVE-2025-68943 Gitea <=1.21.7: Login Time Disclosure via explore/users Order
CVE-2025-68945 Gitea <1.21.2: Anonymous View of Private Projects
CVE-2025-68944 Token Scope Propagation Flaw in Gitea <1.22.2 (Package Registry Access Control)
CVE-2025-68946 Gitea <1.20.1 XSS via forbidden URL Scheme
CVE-2025-68938 Gitea <1.25.2 Release deletion auth bypass

Espressif Esp Idf

CVE-2025-68473 ESP-IDF 5.5.15.1.6: OOB Write in BlueDroid SDP (uuid_list[32])
CVE-2025-68474 ESP-IDF 5.x AVRCP Stack OOB Write in avrc_vendor_msg() (CVE-2025-68474)

N8n

CVE-2025-68668 n8n Pyodide Sandbox Bypass Python Code Node (<=1.99)
CVE-2025-68697 n8n 2.0.0 File System Access Bypass in Code Node Pre2.0.0 Auth Escalation
CVE-2025-61914 n8n 1.114.0: Stored XSS in Respond to Webhook node

Eaton

CVE-2025-59887 Eaton UPS Companion Improper Auth of Lib Files Leading to Code Exec
CVE-2025-59888 Eaton UPS Companion Installer Quotation Flaw Allows RCE
CVE-2025-67450 Eaton UPS Companion insecure lib loading leads to RCE
 

Unclassified

CVE-2025-68948 SiYuan Pre-3.5.1 Session Store Hardcoded Crypto Secret
CVE-2025-15106 Improper Auth in getmaxun <=0.0.28 via router.get (CVE-2025-15106)
CVE-2025-15107 actiontech sqle 4.2511.0 JWT Secret Handler Hardcoded Key
CVE-2025-68927 LibreDesk 0.8.6-beta: Stored HTML Injection in Contact Notes
CVE-2025-59946 Heap UAF in NanoMQ MQTT Broker <0.24.2
CVE-2025-54322 Root RCE via Base64-encoded Py in Xspeeder SXZOS chkid param
CVE-2025-68952 Eigent 0.0.60 RCE via 1click exec
CVE-2025-15105 Getmaxun maxun <0.0.28: Hardcoded crypto key via api_key
CVE-2025-66737 Directory Traversal in Yealink T21P_E2 Phone 52.84.0.15 Diagnostic Function
And others...

Alteryx Server

CVE-2025-15097 Alteryx Server Improper Auth /gallery/api/status/ Fixed in 2025.1.1.1.31

IBM Db2

CVE-2025-14687 IBM Db2 Int'l Center 1.1.0-1.1.2 Auth Bypass via Client-Side (CVE-2025-14687)

Freshrss

CVE-2025-68148 FreshRSS DoS via 429 Retry-After in Proxy (v1.27.x fixed 1.28.0)
CVE-2025-68932 FreshRSS Token Leakage via Weak RNG before v1.28.0

Delta Electronics

CVE-2025-62578 Modbus/TCP Cleartext Transmission in DVP-12SE Industrial Controller

Thursday December 25, 2025

Pexip Infinity

CVE-2025-32095 Pexip Infinity <37.0: Signaling Input Validation DoS
CVE-2025-32096 Pexip Infinity 33.0-37.0 Improper Input Val via Signaling DoS
CVE-2025-66378 Pexip Infinity RTMP Access Control Bypass v38.x (fixed v39.0)
CVE-2025-49088 Pexip Infinity OTJ Service DoS via Crafted Invite (32.0-37.1)
CVE-2025-66377 Pexip Infinity 39.0 Missing Auth on Internal API Enables Node Downtime
CVE-2025-66379 Pexip Infinity <39.0 Improper Input Validation in Media Impl. Causing Remote DoS
CVE-2025-66443 Pexip Infinity 35.038.1 Improper Input Validation (Pre-39.0) SIG Abort DoS
CVE-2025-48704 Pexip Infinity 35.0-37.2 Improper Input Val'd in Signalling DoS
CVE-2025-59683 Pexip Infinity 15.038.0 Secure Scheduler IAC Unauthenticated Read & DoS
 

Unclassified

CVE-2025-68948 SiYuan Pre-3.5.1 Session Store Hardcoded Crypto Secret
CVE-2025-15106 Improper Auth in getmaxun <=0.0.28 via router.get (CVE-2025-15106)
CVE-2025-15107 actiontech sqle 4.2511.0 JWT Secret Handler Hardcoded Key
CVE-2025-68927 LibreDesk 0.8.6-beta: Stored HTML Injection in Contact Notes
CVE-2025-59946 Heap UAF in NanoMQ MQTT Broker <0.24.2
CVE-2025-54322 Root RCE via Base64-encoded Py in Xspeeder SXZOS chkid param
CVE-2025-68952 Eigent 0.0.60 RCE via 1click exec
CVE-2025-15105 Getmaxun maxun <0.0.28: Hardcoded crypto key via api_key
CVE-2025-66737 Directory Traversal in Yealink T21P_E2 Phone 52.84.0.15 Diagnostic Function
And others...

Onlyoffice Document Server

CVE-2025-68935 ONLYOFFICE Docs XSS via Font field before 9.2.1 (DocumentServer)
CVE-2025-68936 ONLYOFFICE Docs 9.x XSS via Color Theme Name in DocumentServer

Forgejo

CVE-2025-68937 Forgejo <13.0.2 - Symlink Dest. Write to Unintended Files & Shell Access

Tenda Ch22

CVE-2025-15076 Path Traversal in Tenda CH22 1.0.0.1 /public/ (remote)

Ketr Jepaas

CVE-2025-15088 ketr JEPaaS SQLi in postilService.loadPostils before 7.2.8

Itsourcecode

CVE-2025-15078 SQLi in itsourcecode Student Management System 1.0 via /list_report.php
CVE-2025-15077 itsourcecode Student Management System 1.0 SQLi via /form137.php
CVE-2025-15075 SQLi in itsourcecode Student Management Sys v1.0 via /student_p.php
CVE-2025-15074 SQLi in itsourcecode OFFOS 1.0 via /customer_details.php

Wednesday December 24, 2025

Linux Kernel

CVE-2025-68355 Linux Kernel BPF Map Memory Leak (CVE-2025-68355)
CVE-2025-68361 ERofs stack overflow vulnerability in Linux kernel (CVE-2025-68361)
CVE-2025-68363 Linux kernel BPF helper misuses skb->transport_header
CVE-2025-68365 Linux Kernel ntfs3: Uninitialized Memory Before Use (KMSAN)
CVE-2025-68367 Linux Kernel mac_hid_toggle_emumouse Race Cond. CVE-2025-68367
CVE-2025-68371 Linux Kernel smartpqi Use-After-Free via LUN Reset Race
CVE-2025-68373 Linux Kernel md UAF: Race via repeated del_gendisk calls
CVE-2025-68374 Linux Kernel: RCU misuse in md_wakeup_thread leads to UAF
CVE-2025-68375 Linux Kernel perf/x86: NULL Event Deref via PEBS Interrupt Throttle
And others...