Overview CVE-2025-61915 is a medium severity vulnerability affecting OpenPrinting CUPS (Common Unix Printing System), a widely used open-source printing system for Linux and other Unix-like operating systems. This vulnerability allows a user in the lpadmin group to inject malicious configuration lines via the CUPS web UI, leading to an out-of-bounds write during the parsing of the configuration by the cupsd process, which runs as root. Successful exploitation can lead to privilege escalation, allowing an attacker to execute arbitrary code with root privileges. Technical Details The vulnerability stems from insufficient input validation within the CUPS web UI and the subsequent parsing…
-
-
Overview CVE-2025-58436 is a medium severity denial-of-service (DoS) vulnerability affecting OpenPrinting CUPS (Common UNIX Printing System) versions prior to 2.4.15. This vulnerability allows a malicious client sending slow messages to the CUPS daemon (cupsd) to exhaust resources and render the printing service unusable for other clients. Organizations relying on CUPS for their printing infrastructure should take immediate action to mitigate this risk. Published: 2025-11-29T03:15:59.323 Technical Details The vulnerability stems from the way cupsd handles client connections. A client initiating a connection and sending data at a very slow rate (e.g., one byte per second) can tie up a cupsd worker…
-
Published: 2025-11-29T03:15:59.153 Overview CVE-2025-53939 is a medium-severity vulnerability affecting Kiteworks, a private data network (PDN) solution. Specifically, versions prior to 9.1.0 are susceptible to improper input validation when managing roles within shared folders. This flaw can lead to the unintended elevation of another user’s permissions on the affected share. Technical Details The vulnerability resides in the role management functionality of shared folders within Kiteworks. Due to insufficient input validation, a malicious actor could manipulate the role assignment process. This manipulation could grant a user higher privileges than intended, potentially allowing them to access, modify, or delete data that they should…
-
Overview CVE-2025-53900 identifies a medium-severity vulnerability in Kiteworks Managed File Transfer (MFT) versions prior to 9.1.0. This flaw arises from an improper definition of roles and permissions related to managing Connections within the Kiteworks MFT platform. Exploitation of this vulnerability could lead to an unexpected escalation of privileges for authorized users, allowing them to perform actions beyond their intended scope. Technical Details The vulnerability stems from insufficient access control checks when managing Connections in Kiteworks MFT. Specifically, the system fails to adequately validate user roles and permissions before granting access to modify or delete Connections. This allows a user with…
-
Overview CVE-2025-53899 is a high-severity vulnerability affecting Kiteworks MFT (Managed File Transfer) versions prior to 9.1.0. This vulnerability stems from an incorrectly specified destination in a communication channel. An attacker with administrative privileges on the system, under specific circumstances, can exploit this flaw to intercept upstream communication, potentially leading to a significant escalation of privileges. Kiteworks has addressed this issue in version 9.1.0. Technical Details The vulnerability lies within the back-end communication channels of Kiteworks MFT. Specifically, the incorrect specification of the destination for certain internal communications allows an attacker possessing administrative privileges to redirect or intercept these communications. This…
-
Published: 2025-11-29 Overview CVE-2025-53897 describes a medium severity vulnerability affecting Kiteworks Managed File Transfer (MFT) versions prior to 9.1.0. This vulnerability could allow an attacker to potentially gain unauthorized access to sensitive log information by exploiting a cross-site scripting (XSS)-like flaw. By tricking an administrator into visiting a crafted, malicious page within the Kiteworks MFT system, an attacker can potentially access and exfiltrate log data. Technical Details The vulnerability stems from insufficient input validation and output encoding when an administrator interacts with specific pages within the Kiteworks MFT interface. An attacker could craft a malicious URL or embed malicious content…
-
Overview CVE-2025-53896 describes a high-severity vulnerability affecting Kiteworks Managed File Transfer (MFT) solutions. Specifically, a flaw exists that can prevent user sessions from timing out properly due to inactivity. This can leave sessions active longer than intended, potentially allowing unauthorized access to sensitive data. The vulnerability affects Kiteworks MFT versions prior to 9.1.0. A patch is available in version 9.1.0 to address this issue. Technical Details The vulnerability arises from a flaw in the session management mechanism within Kiteworks MFT. Under specific, but unspecified, circumstances, the inactivity timer that is intended to automatically terminate a user session fails to trigger.…
-
Overview CVE-2025-66219 describes a command injection vulnerability affecting versions 0.2.1 and prior of willitmerge, a command-line tool used to check if pull requests are mergeable. This vulnerability allows attackers to execute arbitrary commands on the system by injecting malicious code through user-controlled input passed to the `exec` function. This poses a significant risk to systems where willitmerge is deployed, particularly within CI/CD pipelines or development environments. Technical Details The root cause of the vulnerability lies in the insecure usage of the `exec` function within the `willitmerge.js` file. Specifically, the application concatenates user-provided input (either from command-line flags or from the…
-
Overview CVE-2025-66201 details a Server-Side Request Forgery (SSRF) vulnerability found in LibreChat, an open-source ChatGPT clone with extended functionalities. This flaw, present in versions prior to 0.8.1-rc2, allows an authenticated user with access to the “Actions” feature to potentially access internal resources and sensitive information by crafting malicious OpenAPI specifications. By exploiting this vulnerability, an attacker could make the LibreChat server initiate requests to arbitrary URLs, including those only accessible within the internal network, such as cloud metadata services. Technical Details The vulnerability lies in how LibreChat handles user-provided OpenAPI specifications within its “Actions” feature. An attacker can craft a…
-
Overview CVE-2025-66036 identifies a medium severity Cross-Site Scripting (XSS) vulnerability affecting the Retro platform, an online marketplace for vintage collections. This vulnerability exists in the input handling component of versions prior to 2.4.7. Successfully exploiting this flaw could allow attackers to inject malicious scripts into users’ browsers, potentially leading to account compromise, data theft, or other malicious activities. A patch is available in version 2.4.7, and immediate upgrading is highly recommended. Published: 2025-11-29T02:15:52.257 Technical Details The vulnerability stems from improper sanitization of user-supplied input within the Retro platform. Specifically, the application fails to adequately escape or validate data before rendering…