Hydra is a Continuous Integration service for Nix based projects. Evaluation of untrusted non-flake nix code could potentially access secrets that are accessible by the hydra user/group. This should not affect the signing keys,...

SvelteKit is a framework for rapidly developing robust, performant web applications using Svelte. Prior to 2.20.6 , unsanitized search param names cause XSS vulnerability. You are affected if you iterate over all entries of...

Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serverName2. Assigner : cve@mitre.org More information : https://gist.github.com/xyqer1/d195ea1eb37ba1cc5f709b1d4fc1a2c6

Tenda AC10 V4.0si_V16.03.10.20 is vulnerable to Buffer Overflow in AdvSetMacMtuWan via serviceName2. Assigner : cve@mitre.org More information : https://gist.github.com/xyqer1/84dc6d8b3f92597d1d597b2799c2c45f

RE11S v1.11 was discovered to contain a stack overflow via the rootAPmac parameter in the formiNICbasicREP function. Assigner : cve@mitre.org More information : https://gist.github.com/xyqer1/6145c00a51093baad7ab5b8293a06e80

An issue was discovered in AcpiS3SaveDxe and ChipsetSvcDxe in Insyde InsydeH2O with kernel 5.2 though 5.7. A potential DXE memory corruption vulnerability has been identified. The root cause is use of a pointer originating...

Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in NotFound Tourmaster allows Reflected XSS. This issue affects Tourmaster: from n/a through n/a. Assigner : audit@patchstack.com More information : https://patchstack.com/database/wordpress/plugin/tourmaster/vulnerability/wordpress-tourmaster-plugin-5-4-1-cross-site-scripting-xss-vulnerability?_s_id=cve

conda-forge-webservices is the web app deployed to run conda-forge admin commands and linting. In versions prior to 2025.4.10, a race condition vulnerability has been identified in the conda-forge-webservices component used within the shared build...

Ash Authentication provides authentication for the Ash framework. The confirmation flow for account creation currently uses a GET request triggered by clicking a link sent via email. Some email clients and security tools (e.g.,...

An unauthenticated attacker can obtain EV charger energy consumption information of other users. Assigner : ics-cert@hq.dhs.gov More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

An unauthenticated attacker can obtain other users’ charger information. Assigner : ics-cert@hq.dhs.gov More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

An attacker can get information about the groups of the smart home devices for arbitrary users (i.e., “rooms”). Assigner : ics-cert@hq.dhs.gov More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Unauthenticated attackers can trigger device actions associated with specific “scenes” of arbitrary users. Assigner : ics-cert@hq.dhs.gov More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04

Unauthenticated attackers can query information about total energy consumed by EV chargers of arbitrary users. Assigner : ics-cert@hq.dhs.gov More information : https://www.cisa.gov/news-events/ics-advisories/icsa-25-105-04