CVSS: 10.0EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41240 – Mounted Kubernetes Secrets under a predictable path located within the web server document root
https://notcve.org/view.php?id=CVE-2025-41240
24 Jul 2025 — Three Bitnami Helm charts mount Kubernetes Secrets under a predictable path (/opt/bitnami/*/secrets) that is located within the web server document root. In affected versions, this can lead to unauthenticated access to sensitive credentials via HTTP/S. A remote attacker could retrieve these secrets by accessing specific URLs if the application is exposed externally. The issue affects deployments using the default value of usePasswordFiles=true, which mounts secrets as files into the container filesystem. • https://github.com/bitnami/charts/security/advisories/GHSA-wgg9-9qgw-529w • CWE-552: Files or Directories Accessible to External Parties •
CVSS: 7.1EPSS: 0%CPEs: 7EXPL: 0CVE-2025-41239 – vSockets information-disclosure vulnerability
https://notcve.org/view.php?id=CVE-2025-41239
15 Jul 2025 — VMware ESXi, Workstation, Fusion, and VMware Tools contains an information disclosure vulnerability due to the usage of an uninitialised memory in vSockets. A malicious actor with local administrative privileges on a virtual machine may be able to exploit this issue to leak memory from processes communicating with vSockets. This vulnerability allows local attackers to disclose sensitive information on affected installations of VMware ESXi. An attacker must first obtain the ability to execute low-privileged ... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877 • CWE-908: Use of Uninitialized Resource •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-41238 – PVSCSI heap-overflow vulnerability
https://notcve.org/view.php?id=CVE-2025-41238
15 Jul 2025 — VMware ESXi, Workstation, and Fusion contain a heap-overflow vulnerability in the PVSCSI (Paravirtualized SCSI) controller that leads to an out of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox and exploitable only with configurations that are unsupported. On Workstation and Fusion, this may lead to code exec... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877 • CWE-787: Out-of-bounds Write •
CVSS: 9.3EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41237 – VMCI integer-underflow vulnerability
https://notcve.org/view.php?id=CVE-2025-41237
15 Jul 2025 — VMware ESXi, Workstation, and Fusion contain an integer-underflow in VMCI (Virtual Machine Communication Interface) that leads to an out-of-bounds write. A malicious actor with local administrative privileges on a virtual machine may exploit this issue to execute code as the virtual machine's VMX process running on the host. On ESXi, the exploitation is contained within the VMX sandbox whereas, on Workstation and Fusion, this may lead to code execution on the machine where Workstation or Fusion is installed... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877 • CWE-787: Out-of-bounds Write •
CVSS: 9.3EPSS: 0%CPEs: 6EXPL: 0CVE-2025-41236 – VMXNET3 integer-overflow vulnerability
https://notcve.org/view.php?id=CVE-2025-41236
15 Jul 2025 — VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative privileges on a virtual machine with VMXNET3 virtual network adapter may exploit this issue to execute code on the host. Non VMXNET3 virtual adapters are not affected by this issue. VMware ESXi, Workstation, and Fusion contain an integer-overflow vulnerability in the VMXNET3 virtual network adapter. A malicious actor with local administrative priv... • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/35877 • CWE-787: Out-of-bounds Write •
CVSS: 6.5EPSS: 0%CPEs: 3EXPL: 0CVE-2025-41234 – RFD Attack via “Content-Disposition” Header Sourced from Request
https://notcve.org/view.php?id=CVE-2025-41234
12 Jun 2025 — Description In Spring Framework, versions 6.0.x as of 6.0.5, versions 6.1.x and 6.2.x, an application is vulnerable to a reflected file download (RFD) attack when it sets a “Content-Disposition” header with a non-ASCII charset, where the filename attribute is derived from user-supplied input. Specifically, an application is vulnerable when all the following are true: * The header is prepared with org.springframework.http.ContentDisposition. * The filename is set via ContentDisposition.Builder#filename(Strin... • https://spring.io/security/cve-2025-41234 • CWE-113: Improper Neutralization of CRLF Sequences in HTTP Headers ('HTTP Request/Response Splitting') •
CVSS: 5.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22245
https://notcve.org/view.php?id=CVE-2025-22245
04 Jun 2025 — VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the router port due to improper input validation. VMware NSX contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el puerto del enrutador debido a una validación de entrada incorrecta. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 6.9EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22244
https://notcve.org/view.php?id=CVE-2025-22244
04 Jun 2025 — VMware NSX contains a stored Cross-Site Scripting (XSS) vulnerability in the gateway firewall due to improper input validation. VMware NSX contiene una vulnerabilidad de Cross-Site Scripting (XSS) almacenado en el firewall de puerta de enlace debido a una validación de entrada incorrecta. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.5EPSS: 0%CPEs: 1EXPL: 0CVE-2025-22243
https://notcve.org/view.php?id=CVE-2025-22243
04 Jun 2025 — VMware NSX Manager UI is vulnerable to a stored Cross-Site Scripting (XSS) attack due to improper input validation. La interfaz de usuario de VMware NSX Manager es vulnerable a un ataque de Cross-Site Scripting (XSS) almacenado debido a una validación de entrada incorrecta. • https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/25738 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 8.6EPSS: 0%CPEs: 1EXPL: 0CVE-2025-41235 – CVE-2025-41235: Spring Cloud Gateway Server Forwards Headers from Untrusted Proxies
https://notcve.org/view.php?id=CVE-2025-41235
30 May 2025 — Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. Spring Cloud Gateway Server forwards the X-Forwarded-For and Forwarded headers from untrusted proxies. • https://spring.io/security/cve-2025-41235 • CWE-444: Inconsistent Interpretation of HTTP Requests ('HTTP Request/Response Smuggling') •