Security Vulnerabilities
Versions of the package @tiptap/extension-link before 2.10.4 are vulnerable to Cross-site Scripting (XSS) due to unsanitized user input allowed in setting or toggling links. An attacker can execute arbitrary JavaScript code in the context of the application by injecting a javascript: URL payload into these attributes, which is then triggered either by user interaction.
CVSS Score
6.1
EPSS Score
0.0
Published
2025-12-09
Path traversal in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote authenticated attacker to write arbitrary files outside of the intended directory. User interaction is required.
CVSS Score
7.1
EPSS Score
0.004
Published
2025-12-09
Improper verification of cryptographic signatures in the patch management component of Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary code. User Interaction is required.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-12-09
Improper control of dynamically managed code resources in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote, unauthenticated attacker to write arbitrary files on the server, potentially leading to remote code execution. User interaction is required.
CVSS Score
8.8
EPSS Score
0.003
Published
2025-12-09
The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.9.4 via the 'get_attachment_sizes' function. This makes it possible for authenticated attackers, with Contributor-level access and above, to extract sensitive data including the path and meta data of private attachments, which can be used to view the attachments.
CVSS Score
4.3
EPSS Score
0.0
Published
2025-12-09
Improper Privilege Management vulnerability in AlgoSec Firewall Analyzer on Linux, 64 bit allows Privilege Escalation, Parameter Injection.
A local user with access to the command line may escalate their privileges by abusing the parameters of a command that is approved in the sudoers file.
This issue affects Firewall Analyzer: A33.0, A33.10.
CVSS Score
7.8
EPSS Score
0.0
Published
2025-12-09
Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.
CVSS Score
9.6
EPSS Score
0.001
Published
2025-12-09
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). The SCEP client available in the affected device for secure certificate enrollment lacks validation of multiple fields. An attacker could leverage this scenario to execute arbitrary code as root user.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-12-09
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Code injection can be achieved when the affected device is using VRF (Virtual Routing and Forwarding). An attacker could leverage this scenario to execute arbitrary code as root user.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-12-09
A vulnerability has been identified in RUGGEDCOM ROX II family (All versions < V2.17.0). Under certain conditions, IPsec may allow code injection in the affected device. An attacker could leverage this scenario to execute arbitrary code as root user.
CVSS Score
7.2
EPSS Score
0.001
Published
2025-12-09