2025-12-18 Daily Vulns
NEW:
| CVE | vendor-product | description | metric | Referenceurl | title | GithubURL | |
|---|---|---|---|---|---|---|---|
| CVE-2014-3146 | n/a - n/a | Incomplete blacklist vulnerability in the lxml.html.clean module in lxml before 3.3.5 allows remote attackers to conduct cross-site scripting (XSS) attacks via control characters in the link scheme to the clean_html function. | CNA n/a CVSS3.1: 5.4 - MEDIUM | 0 1 2 3 4 5 6 7 8 9 10 11 12 13 | Exploitation: noneAutomatable: noTechnical Impact: partial | undefined | github |
| CVE-2025-12689 | Mattermost - Mattermost | Mattermost versions 11.0.x <= 11.0.4, 10.12.x <= 10.12.2, 10.11.x <= 10.11.6 fail to check WebSocket request field for proper UTF-8 format, which allows attacker to crash Calls plug-in via sending malformed request. | CVSS3.1: 6.5 - MEDIUM | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | DoS in Calls plugin via malformed UTF-8 in WebSocket request | github |
| CVE-2024-29371 | n/a - n/a | In jose4j before 0.9.5, an attacker can cause a Denial-of-Service (DoS) condition by crafting a malicious JSON Web Encryption (JWE) token with an exceptionally high compression ratio. When this token is processed by the server, it results in significant memory allocation and processing time during decompression. | CNA n/a CVSS3.1: 7.5 - HIGH | 0 | Exploitation: pocAutomatable: yesTechnical Impact: partial | undefined | github |
| CVE-2025-14727 | F5 - NGINX Ingress Controller | A vulnerability exists in NGINX Ingress Controller’s nginx.org/rewrite-target annotation validation. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | CVSS3.1: 8.3 - HIGH CVSS4.0: 8.7 - HIGH | 0 | Exploitation: noneAutomatable: noTechnical Impact: partial | NGINX Ingress Controller vulnerability | github |
This post is licensed under CC BY 4.0 by the author.