New

CVE-2025-62354: Improper neutralization of special elements used in an OS command ('command injection') in Cursor allows an unauthorized attacker to execute commands that are outside of those specified in the allowlist, resulting in arbitrary code execution.

CVE-2025-13601: Glib: integer overflow in in g_escape_uri_string(): A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential wri...

CVE-2025-9163: Houzez <= 4.1.6 - Unauthenticated Stored Cross-Site Scripting via SVG File Upload: The Houzez theme for WordPress is vulnerable to Stored Cross-Site Scripting via SVG File uploads in all versions up to, and including, 4.1.6 due to insufficient input sanitization and output escaping in the houzez_property_img_upload() and houzez_property_attachment_upload() functions. This makes it possible for ...

CVE-2025-9191: Houzez <= 4.1.6 - Authenticated (Subscriber+) PHP Object Injection via Saved Search: The Houzez theme for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 4.1.6 via deserialization of untrusted input in saved-search-item.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject a PHP Object. No known POP chain...

CVE-2025-13674: Access of Uninitialized Pointer in Wireshark: BPv7 dissector crash in Wireshark 4.6.0 allows denial of service

Updated

CVE-2025-64704: WebAssembly Micro Runtime vulnerable to a segmentation fault in v128.store instruction: WebAssembly Micro Runtime (WAMR) is a lightweight standalone WebAssembly (Wasm) runtime. Prior to version 2.4.4, WAMR is susceptible to a segmentation fault in v128.store instruction. This issue has been patched in version 2.4.4.

CVE-2025-21621: GeoServer Reflected Cross-Site Scripting (XSS) vulnerability in WMS GetFeatureInfo HTML format: GeoServer is an open source server that allows users to share and edit geospatial data. Prior to version 2.25.0, a reflected cross-site scripting (XSS) vulnerability exists in the WMS GetFeatureInfo HTML output format that enables a remote attacker to execute arbitrary JavaScript code in a victim's b...

CVE-2025-62703: Fugue is Vulnerable to Remote Code Execution by Pickle Deserialization via FlaskRPCServer: Fugue is a unified interface for distributed computing that lets users execute Python, Pandas, and SQL code on Spark, Dask, and Ray with minimal rewrites. In version 0.9.2 and prior, there is a remote code execution vulnerability by pickle deserialization via FlaskRPCServer. The Fugue framework implements...

CVE-2025-33203: NVIDIA NeMo Agent Toolkit UI for Web contains a vulnerability in the chat API endpoint where an attacker may cause a Server-Side Request Forgery. A successful exploit of this vulnerability may lead to information disclosure and denial of service.

CVE-2025-46174: Ruoyi v4.8.0 vulnerable to Incorrect Access Control. There is a missing checkUserDataScope permission check in the resetPwd Method of SysUserController.java.

CISA Known Exploited Vulnerabilities

CVE-2025-61757 Oracle Fusion Middleware: Oracle Fusion Middleware contains a missing authentication for critical function vulnerability, allowing unauthenticated remote attackers to take over Identity Manager.

CVE-2025-13223 Google Chromium V8: Google Chromium V8 contains a type confusion vulnerability that allows for heap corruption.

CVE-2025-58034 Fortinet FortiWeb: Fortinet FortiWeb contains an OS command Injection vulnerability that may allow an authenticated attacker to execute unauthorized code on the underlying system via crafted HTTP requests or CLI commands.

CVE-2025-64446 Fortinet FortiWeb: Fortinet FortiWeb contains a relative path traversal vulnerability that may allow an unauthenticated attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

CVE-2025-12480 Gladinet Triofox: Gladinet Triofox contains an improper access control vulnerability that allows access to initial setup pages even after setup is complete.