Full List

Search

Recent Vulnerabilities

• CVE-2021-47671 • published on April 17, 2025 In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: es58x_rx_err_msg(): fix memory leak in error path In es58x_rx_err_msg(), if can-do_set_mode() fails, the function directly returns without calling netif_rx(skb). This means that the skb previously allocated by alloc_can_err_skb() is not freed. In other terms, this is a memory leak. This patch simply removes the return statement in the error branch and let the function continue. Issue was found with GCC -fanalyzer, please follow the link below for details.
• CVE-2021-47670 • published on April 17, 2025 In the Linux kernel, the following vulnerability has been resolved: can: peak_usb: fix use after free bugs After calling peak_usb_netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the peak_usb_netif_rx_ni(). Reordering the lines solves the issue.
• CVE-2021-47669 • published on April 17, 2025 In the Linux kernel, the following vulnerability has been resolved: can: vxcan: vxcan_xmit: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the canfd_frame cfd which aliases skb memory is accessed after the netif_rx_ni().
• CVE-2021-47668 • published on April 17, 2025 In the Linux kernel, the following vulnerability has been resolved: can: dev: can_restart: fix use after free bug After calling netif_rx_ni(skb), dereferencing skb is unsafe. Especially, the can_frame cf which aliases skb memory is accessed after the netif_rx_ni() in: stats-rx_bytes += cf->len; Reordering the lines solves the issue.
• CVE-2020-36789 • published on April 17, 2025 In the Linux kernel, the following vulnerability has been resolved: can: dev: can_get_echo_skb(): prevent call to kfree_skb() in hard IRQ context If a driver calls can_get_echo_skb() during a hardware IRQ (which is often, but not always, the case), the 'WARN_ON(in_irq)' in net/core/skbuff.c#skb_release_head_state() might be triggered, under network congestion circumstances, together with the potential risk of a NULL pointer dereference. The root cause of this issue is the call to kfree_skb() instead of dev_kfree_skb_irq() in net/core/dev.c#enqueue_to_backlog(). This patch prevents the skb to be freed within the call to netif_rx() by incrementing its reference count with skb_get(). The skb is finally freed by one of the in-irq-context safe functions: dev_consume_skb_any() or dev_kfree_skb_any(). The "any" version is used because some drivers might call can_get_echo_skb() in a normal context. The reason for this issue to occur is that initially, in the core network stack, loopback skb were not supposed to be received in hardware IRQ context. The CAN stack is an exeption. This bug was previously reported back in 2017 in [1] but the proposed patch never got accepted. While [1] directly modifies net/core/dev.c, we try to propose here a smoother modification local to CAN network stack (the assumption behind is that only CAN devices are affected by this issue). [1] http://lore.kernel.org/r/57a3ffb6-3309-3ad5-5a34-e93c3fe3614d@cetitec.com
• CVE-2025-2947 • published on April 17, 2025 IBM i 7.6  contains a privilege escalation vulnerability due to incorrect profile swapping in an OS command.  A malicious actor can use the command to elevate privileges to gain root access to the host operating system.
• CVE-2025-43015 • published on April 17, 2025 In JetBrains RubyMine before 2025.1 remote Interpreter overwrote ports to listen on all interfaces
• CVE-2025-43014 • published on April 17, 2025 In JetBrains Toolbox App before 2.6 the SSH plugin established connections without sufficient user confirmation
• CVE-2025-43013 • published on April 17, 2025 In JetBrains Toolbox App before 2.6 unencrypted credential transmission during SSH authentication was possible
• CVE-2025-43012 • published on April 17, 2025 In JetBrains Toolbox App before 2.6 command injection in SSH plugin was possible
• CVE-2025-42921 • published on April 17, 2025 In JetBrains Toolbox App before 2.6 host key verification was missing in SSH plugin
• CVE-2025-23443 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Claire Ryan Author Showcase allows Reflected XSS. This issue affects Author Showcase: from n/a through 1.4.3.
• CVE-2025-23448 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in dastan800 visualslider Sldier allows Reflected XSS. This issue affects visualslider Sldier: from n/a through 1.1.1.
• CVE-2025-23773 • published on April 17, 2025 Missing Authorization vulnerability in mingocommerce Delete All Posts allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Delete All Posts: from n/a through 1.1.1.
• CVE-2025-23782 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in TotalSuite TotalContest Lite allows Reflected XSS. This issue affects TotalContest Lite: from n/a through 2.8.1.
• CVE-2025-23855 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fyljp SpiderDisplay allows Reflected XSS. This issue affects SpiderDisplay: from n/a through 1.9.1.
• CVE-2025-23858 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hiren Patel Custom Users Order allows Reflected XSS. This issue affects Custom Users Order: from n/a through 4.2.
• CVE-2025-23906 • published on April 17, 2025 Missing Authorization vulnerability in wpseek WordPress Dashboard Tweeter allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WordPress Dashboard Tweeter: from n/a through 1.3.2.
• CVE-2025-23958 • published on April 17, 2025 Missing Authorization vulnerability in FADI MED Editor Wysiwyg Background Color allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Editor Wysiwyg Background Color: from n/a through 1.0.
• CVE-2025-24539 • published on April 17, 2025 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in debounce DeBounce Email Validator allows Reflected XSS. This issue affects DeBounce Email Validator: from n/a through 5.6.5.