Security Vulnerabilities
Incorrect Authorization vulnerability in Drupal Commerce Alphabank Redirect allows Functionality Misuse.This issue affects Commerce Alphabank Redirect: from 0.0.0 before 1.0.3.
CVSS Score
8.8
EPSS Score
0.0
Published
2025-06-11
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Drupal Lightgallery allows Cross-Site Scripting (XSS).This issue affects Lightgallery: from 0.0.0 before 1.6.0.
CVSS Score
7.1
EPSS Score
0.001
Published
2025-06-11
Allocation of Resources Without Limits or Throttling vulnerability in Drupal Admin Audit Trail allows Excessive Allocation.This issue affects Admin Audit Trail: from 0.0.0 before 1.0.5.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-06-11
Missing Authorization vulnerability in Drupal Quick Node Block allows Forceful Browsing.This issue affects Quick Node Block: from 0.0.0 before 2.0.0.
CVSS Score
5.3
EPSS Score
0.0
Published
2025-06-11
Ai command injection in M365 Copilot allows an unauthorized attacker to disclose information over a network.
CVSS Score
9.3
EPSS Score
0.001
Published
2025-06-11
The The Events Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘data-date-*’ parameters in all versions up to, and including, 6.13.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
CVSS Score
6.4
EPSS Score
0.0
Published
2025-06-11
A vulnerability in Mozilla VPN on macOS allows privilege escalation from a normal user to root.
*This bug only affects Mozilla VPN on macOS. Other operating systems are unaffected.* This vulnerability affects Mozilla VPN 2.28.0 < (macOS).
CVSS Score
7.8
EPSS Score
0.0
Published
2025-06-11
A crafted HTML email using mailbox:/// links can trigger automatic, unsolicited downloads of .pdf files to the user's desktop or home directory without prompting, even if auto-saving is disabled. This behavior can be abused to fill the disk with garbage data (e.g. using /dev/urandom on Linux) or to leak Windows credentials via SMB links when the email is viewed in HTML mode. While user interaction is required to download the .pdf file, visual obfuscation can conceal the download trigger. Viewing the email in HTML mode is enough to load external content. This vulnerability affects Thunderbird < 128.11.1 and Thunderbird < 139.0.2.
CVSS Score
6.5
EPSS Score
0.0
Published
2025-06-11
An integer overflow was present in `OrderedHashTable` used by the JavaScript engine This vulnerability affects Firefox < 139.0.4.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-06-11
Certain canvas operations could have lead to memory corruption. This vulnerability affects Firefox < 139.0.4.
CVSS Score
9.8
EPSS Score
0.001
Published
2025-06-11