Security Vulnerabilities
The function responsible for handling BLE connection responses does not verify whether a response is expected—that is, whether the device has initiated a connection request. Instead, it relies solely on identifier matching.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-09-19
In the @digitalocean/do-markdownit package through 1.16.1 (in npm), the callout and fence_environment plugins perform .includes substring matching if allowedClasses or allowedEnvironments is a string (instead of an array).
CVSS Score
5.4
EPSS Score
0.0
Published
2025-09-19
SMSEagle before 6.11 allows reflected XSS via a username or contact phone number.
CVSS Score
4.8
EPSS Score
0.0
Published
2025-09-19
In Internet2 Grouper 5.17.1 before 5.20.5, group admins who are not Grouper sysadmins can configure loader jobs.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-09-19
Snipe-IT before 8.1.18 allows unsafe deserialization.
CVSS Score
6.8
EPSS Score
0.0
Published
2025-09-19
Snipe-IT before 8.1.18 allows XSS.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-09-19
OpenGrok 1.14.1 has a reflected Cross-Site Scripting (XSS) issue when producing the cross reference page. This happens through improper handling of the revision parameter. The application reflects unsanitized user input into the HTML output.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-09-19
Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Bluetooth Service allows an authorized attacker to elevate privileges locally.
CVSS Score
7.0
EPSS Score
0.0
Published
2025-09-18
Use after free in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVSS Score
7.0
EPSS Score
0.001
Published
2025-09-18
Concurrent execution using shared resource with improper synchronization ('race condition') in Microsoft Graphics Component allows an authorized attacker to elevate privileges locally.
CVSS Score
7.0
EPSS Score
0.0
Published
2025-09-18