CVSS: 5.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-9039 – Information Disclosure in Amazon ECS Container Agent
https://notcve.org/view.php?id=CVE-2025-9039
14 Aug 2025 — We identified an issue in the Amazon ECS agent where, under certain conditions, an introspection server could be accessed off-host by another instance if the instances are in the same security group or if their security groups allow incoming connections that include the port where the server is hosted. This issue does not affect instances where the option to allow off-host access to the introspection server is set to 'false'. This issue has been addressed in ECS agent version 1.97.1. We recommend upgrading ... • https://github.com/aws/amazon-ecs-agent/releases/tag/v1.97.1 • CWE-277: Insecure Inherited Permissions •
CVSS: 9.8EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8904 – Privilege escalation issue in Amazon EMR Secret Agent component
https://notcve.org/view.php?id=CVE-2025-8904
13 Aug 2025 — Amazon EMR Secret Agent creates a keytab file containing Kerberos credentials. This file is stored in the /tmp/ directory. A user with access to this directory and another account can potentially decrypt the keys and escalate to higher privileges. Users are advised to upgrade to Amazon EMR version 7.5 or higher. For Amazon EMR releases between 6.10 and 7.4, we strongly recommend that you run the bootstrap script and RPM files with the fix provided in the location below. • https://docs.aws.amazon.com/emr/latest/ReleaseGuide/emr-release-app-versions-7.x.html • CWE-257: Storing Passwords in a Recoverable Format •
CVSS: 7.1EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23278
https://notcve.org/view.php?id=CVE-2025-23278
02 Aug 2025 — NVIDIA Display Driver for Windows and Linux contains a vulnerability where an attacker might cause an improper index validation by issuing a call with crafted parameters. A successful exploit of this vulnerability might lead to data tampering or denial of service. El controlador de pantalla NVIDIA para Windows y Linux contiene una vulnerabilidad que permite a un atacante provocar una validación de índice incorrecta al ejecutar una llamada con parámetros manipulados. Una explotación exitosa de esta vulnerabi... • https://nvidia.custhelp.com/app/answers/detail/a_id/5670 • CWE-129: Improper Validation of Array Index •
CVSS: 7.3EPSS: 0%CPEs: 2EXPL: 0CVE-2025-23277
https://notcve.org/view.php?id=CVE-2025-23277
02 Aug 2025 — NVIDIA Display Driver for Linux and Windows contains a vulnerability in the kernel mode driver, where an attacker could access memory outside bounds permitted under normal use cases. A successful exploit of this vulnerability might lead to denial of service, data tampering, or information disclosure. El controlador de pantalla NVIDIA para Linux y Windows contiene una vulnerabilidad en el controlador de modo kernel, que permite a un atacante acceder a la memoria fuera de los límites permitidos en condiciones... • https://https://nvidia.custhelp.com/app/answers/detail/a_id/5670 • CWE-284: Improper Access Control •
CVSS: 5.1EPSS: 0%CPEs: 1EXPL: 0CVE-2025-8217 – Inert Malicious script injected into Amazon Q Developer Visual Studio Code (VS Code) Extension
https://notcve.org/view.php?id=CVE-2025-8217
30 Jul 2025 — The Amazon Q Developer Visual Studio Code (VS Code) extension v1.84.0 contains inert, injected code designed to call the Q Developer CLI. The code executes when the extension is launched within the VS Code environment; however the injected code contains a syntax error which prevents it from making a successful API call to the Q Developer CLI. To mitigate this issue, users should upgrade to version v1.85.0. All installations of v1.84.0 should be removed from use. La extensión Amazon Q Developer para Visual S... • https://aws.amazon.com/security/security-bulletins/AWS-2025-015 • CWE-506: Embedded Malicious Code •
CVSS: 7.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-54043 – WordPress SMTP for Amazon SES plugin <= 1.9 - SQL Injection Vulnerability
https://notcve.org/view.php?id=CVE-2025-54043
16 Jul 2025 — Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in YayCommerce SMTP for Amazon SES allows SQL Injection. This issue affects SMTP for Amazon SES: from n/a through 1.9. The SMTP for Amazon SES plugin for WordPress is vulnerable to SQL Injection in versions up to, and including, 1.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with a... • https://patchstack.com/database/wordpress/plugin/smtp-amazon-ses/vulnerability/wordpress-smtp-for-amazon-ses-plugin-1-9-sql-injection-vulnerability?_s_id=cve • CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') •
CVSS: 8.5EPSS: 0%CPEs: 24EXPL: 0CVE-2025-32988 – Gnutls: vulnerability in gnutls othername san export
https://notcve.org/view.php?id=CVE-2025-32988
09 Jul 2025 — A flaw was found in GnuTLS. A double-free vulnerability exists in GnuTLS due to incorrect ownership handling in the export logic of Subject Alternative Name (SAN) entries containing an otherName. If the type-id OID is invalid or malformed, GnuTLS will call asn1_delete_structure() on an ASN.1 node it does not own, leading to a double-free condition when the parent function or caller later attempts to free the same structure. This vulnerability can be triggered using only public GnuTLS APIs and may result in ... • https://access.redhat.com/security/cve/CVE-2025-32988 • CWE-415: Double Free •
CVSS: 7.8EPSS: 0%CPEs: 13EXPL: 0CVE-2025-7345 – Gdk‑pixbuf: heap‑buffer‑overflow in gdk‑pixbuf
https://notcve.org/view.php?id=CVE-2025-7345
08 Jul 2025 — A flaw exists in gdk‑pixbuf within the gdk_pixbuf__jpeg_image_load_increment function (io-jpeg.c) and in glib’s g_base64_encode_step (glib/gbase64.c). When processing maliciously crafted JPEG images, a heap buffer overflow can occur during Base64 encoding, allowing out-of-bounds reads from heap memory, potentially causing application crashes or arbitrary code execution. It was discovered that GDK-Pixbuf incorrectly handled certain GIF files. An attacker could possibly use this issue to expose sensitive info... • https://access.redhat.com/security/cve/CVE-2025-7345 • CWE-120: Buffer Copy without Checking Size of Input ('Classic Buffer Overflow') CWE-787: Out-of-bounds Write •
CVSS: 8.8EPSS: 0%CPEs: 33EXPL: 11CVE-2025-32462 – Sudo 1.9.17 Host Option - Elevation of Privilege
https://notcve.org/view.php?id=CVE-2025-32462
30 Jun 2025 — Sudo before 1.9.17p1, when used with a sudoers file that specifies a host that is neither the current host nor ALL, allows listed users to execute commands on unintended machines. A privilege escalation vulnerability was found in Sudo. In certain configurations, unauthorized users can gain elevated system privileges via the Sudo host option (`-h` or `--host`). When using the default sudo security policy plugin (sudoers), the host option is intended to be used in conjunction with the list option (`-l` or `--... • https://packetstorm.news/files/id/206211 • CWE-863: Incorrect Authorization •
CVSS: 9.3EPSS: 0%CPEs: 16EXPL: 45CVE-2025-32463 – Sudo chroot 1.9.17 - Local Privilege Escalation
https://notcve.org/view.php?id=CVE-2025-32463
30 Jun 2025 — Sudo before 1.9.17p1 allows local users to obtain root access because /etc/nsswitch.conf from a user-controlled directory is used with the --chroot option. A flaw was found in Sudo. This flaw allows a local attacker to escalate their privileges by tricking Sudo into loading an arbitrary shared library using the user-specified root directory via the `-R` (`--chroot`) option. An attacker can run arbitrary commands as root on systems that support `/etc/nsswitch.conf`. Rich Mirch discovered that Sudo incorrectl... • https://packetstorm.news/files/id/206210 • CWE-427: Uncontrolled Search Path Element CWE-829: Inclusion of Functionality from Untrusted Control Sphere •