Lista CVE 2025/27xxx

CVE nel gruppo: 27xxx

CVE-2025-27099 (N/A)

CVE-2025-27100 (Tuleap allows XSS via the tracker names used in the semantic timeframe deletion message)

CVE-2025-27101 (An authenticated user can crash lakeFS by exhausting server memory)

CVE-2025-27102 (Broken Access Control in Opal filesystem’s copy functionality exposes all user data)

CVE-2025-27103 (Agate vulnerable to HTML injection in user signup – Administrator phishing risk)

CVE-2025-27104 (Dataease Mysql JDBC Connection Parameters Not Being Verified Leads to Arbitrary File Read Vulnerability​)

CVE-2025-27105 (double eval in For List Iter in Vyper)

CVE-2025-27106 (AugAssign evaluation order causing OOB write within the object in Vyper)

CVE-2025-27107 (Code injection in binance-trading-bot)

CVE-2025-27108 (Integrated Scripting vulnerable to arbitrary code execution via Java reflection)

CVE-2025-27109 (Cross-site Scripting vulnerability due to improper use of string.replace in dom-expressions)

CVE-2025-27110 (Lack of Escaping of HTML in JSX Fragments allows for Cross-site Scripting in solid-js)

CVE-2025-27111 (Libmodsecurity3 has possible bypass of encoded HTML entities)

CVE-2025-27112 (Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection)

CVE-2025-27113 (Navidrome has authentication bypass in Subsonic API with non-existent username)

CVE-2025-27130 (N/A)

CVE-2025-27133 (N/A)

CVE-2025-27135 (WeGIA has SQL Injection endpoint at ‘dao/pet/adicionar_tipo_exame.php’ parameter ‘tipo_exame’)

CVE-2025-27136 (RAGFlow SQL Injection vulnerability)

CVE-2025-27137 (LocalS3 CreateBucketConfiguration Endpoint XML External Entity (XXE) Injection)

CVE-2025-27138 (Dependency-Track vulnerable to local file inclusion via custom notification templates)

CVE-2025-27139 (DataEase has an improper authentication vulnerability)

CVE-2025-27140 (Combodo iTop vulnerable to stored self Cross-site Scripting in preferences)

CVE-2025-27141 (WeGIA vulnerable to OS Command Injection at endpoint ‘importar_dump.php’ parameter ‘import’ (RCE))

CVE-2025-27142 (Metabase Enterprise Edition allows cached questions to leak data to impersonated users)

CVE-2025-27143 (LocalSend path traversal vulnerability in the file upload endpoint allows nearby devices to execute arbitrary commands)

CVE-2025-27144 (Beter Auth has an Open Redirect via Scheme-Less Callback Parameter)

CVE-2025-27145 (Go JOSE’s Parsing Vulnerable to Denial of Service)

CVE-2025-27146 (copyparty renders unsanitized filenames as HTML when user uploads empty files)

CVE-2025-27147 (Matrix IRC Bridge allows IRC command injection to own puppeted user)

CVE-2025-27148 (GLPI Inventory plugin has Improper Access Control Vulnerability)

CVE-2025-27149 (Gradle vulnerable to local privilege escalation through system temporary directory)

CVE-2025-27150 (Zulip exports can leak private data)

CVE-2025-27152 (Tuleap dumps the Redis password into the generated troubleshooting archives)

CVE-2025-27154 (Possible SSRF and Credential Leakage via Absolute URL in axios Requests)

CVE-2025-27155 (Spotipy’s cache file, containing spotify auth token, is created with overly broad permissions)

CVE-2025-27156 (In-memory stored Cross-site scripting (XSS) vulnerability in pineconesim)

CVE-2025-27157 (Tuleap allows content injection via emails sent by the mass emailing features)

CVE-2025-27158 (Mastodon’s rate-limits are missing on `/auth/setup`)

CVE-2025-27159 (Acrobat Reader | Access of Uninitialized Pointer (CWE-824))