| CVE |
Vendors |
Products |
Updated |
CVSS v3.1 |
| A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs. |
| A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue. |
| Heap-based buffer overflow vulnerability in the image module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Out-of-bounds write vulnerability in the camera module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Type confusion vulnerability in the camera module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Out-of-bounds read issue in the media subsystem.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. |
| Address read vulnerability in the HDC module.
Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. |
| A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. |
| Buffer overflow vulnerability in the HDC module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Permission control vulnerability in the HDC module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Out-of-bounds read vulnerability in the graphics module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| UAF concurrency vulnerability in the graphics module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| Vulnerability of improper criterion security check in the card module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Identity authentication bypass vulnerability in the window module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Out-of-bounds write vulnerability in the DFX module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. |
| Vulnerability of improper permission control in the print module.
Impact: Successful exploitation of this vulnerability may affect service confidentiality. |
| Out-of-bounds access vulnerability in the frequency modulation module.
Impact: Successful exploitation of this vulnerability may affect availability. |
| WeGIA is a web manager for charitable institutions. In versions prior to 3.6.10, a Stored Cross-Site Scripting (XSS) vulnerability allows an authenticated user to inject malicious JavaScript via the "Nome" field in the "Informações Pacientes" page. The payload is stored and executed when the patient information is viewed. Version 3.6.10 fixes the issue. |
| Claude Code is an agentic coding tool. In versions prior to 2.1.75 on Windows, Claude Code loaded the system-wide default configuration from C:\ProgramData\ClaudeCode\managed-settings.json without validating directory ownership or access permissions. Because the ProgramData directory is writable by non-administrative users by default and the ClaudeCode subdirectory was not pre-created or access-restricted, a low-privileged local user could create this directory and place a malicious configuration file that would be automatically loaded for any user launching Claude Code on the same machine. Exploiting this would have required a shared multi-user Windows system and a victim user to launch Claude Code after the malicious configuration was placed. This issue has been fixed on version 2.1.75. |
