Security
Headlines
HeadlinesLatestCVEs

Tag

#vulnerability

GHSA-f9vc-vf3r-pqqq: Harbor repository description page has Cross-site Scripting vulnerability

### Impact In the Harbor repository information, it is possible to inject code resulting in a stored XSS issue. ### Patches Harbor v2.12.3 Harbor 2.11.3 ### Workarounds No ### References ### Credit gleb.razvitie@gmail.com

ghsa
#xss#vulnerability#auth
Suspected Admin of XSS.IS Cybercrime Forum Arrested in Ukraine

Suspected admin of XSS.IS, a major Russian-language cybercrime forum, arrested in Ukraine after years of running malware and data trade operations.

GHSA-4j66-8f4r-3pjx: bun vulnerable to OS Command Injection

All versions of the package bun are vulnerable to Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in the $ shell API due to improper neutralization of user input. An attacker can exploit this by providing specially crafted input that includes command-line arguments or shell metacharacters, leading to unintended command execution.

GHSA-9h3q-32c7-r533: private-ip vulnerable to Server-Side Request Forgery

All versions of the package private-ip are vulnerable to Server-Side Request Forgery (SSRF) where an attacker can provide an IP or hostname that resolves to a multicast IP address (224.0.0.0/4) which is not included as part of the private IP ranges in the package's source code.

GHSA-3r3j-4vrw-884j: files-bucket-server vulnerable to Directory Traversal

All versions of the package files-bucket-server are vulnerable to Directory Traversal where an attacker can traverse the file system and access files outside of the intended directory.

CISA Warns: SysAid Flaws Under Active Attack Enable Remote File Access and SSRF

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added two security flaws impacting SysAid IT support software to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The vulnerabilities in question are listed below - CVE-2025-2775 (CVSS score: 9.3) - An improper restriction of XML external entity (XXE) reference vulnerability in the

CISA Orders Urgent Patching After Chinese Hackers Exploit SharePoint Flaws in Live Attacks

The U.S. Cybersecurity and Infrastructure Security Agency (CISA), on July 22, 2025, added two Microsoft SharePoint flaws, CVE-2025-49704 and CVE-2025-49706, to its Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. To that end, Federal Civilian Executive Branch (FCEB) agencies are required to remediate identified vulnerabilities by July 23, 2025. "CISA is

GHSA-x9hg-5q6g-q3jr: Ollama vulnerable to Cross-Domain Token Exposure

Cross-Domain Token Exposure in server.auth.getAuthorizationToken in Ollama 0.6.7 allows remote attackers to steal authentication tokens and bypass access controls via a malicious realm value in a WWW-Authenticate header returned by the /api/pull endpoint.

3 China Nation-State Actors Target SharePoint Bugs

Hackers and cybercrime groups are part of a virtual feeding frenzy, after Microsoft's recent disclosure of new vulnerabilities in on-premises editions of SharePoint Server.

GHSA-gmvv-rj92-9w35: Aim vulnerable to Cross-site Scripting

Cross-site Scripting (XSS) in aimhubio Aim 3.28.0 allows remote attackers to execute arbitrary JavaScript in victims browsers via malicious Python code submitted to the /api/reports endpoint, which is interpreted and executed by Pyodide when the report is viewed. No sanitisation or sandbox restrictions prevent JavaScript execution via pyodide.code.run_js().