CVSS: 3.7EPSS: 0%CPEs: 27EXPL: 0CVE-2025-8556 – Github.com/cloudflare/circl: circl-fourq: missing and wrong validation can lead to incorrect results
https://notcve.org/view.php?id=CVE-2025-8556
06 Aug 2025 — A flaw was found in CIRCL's implementation of the FourQ elliptic curve. This vulnerability allows an attacker to compromise session security via low-order point injection and incorrect point validation during Diffie-Hellman key exchange. Se detectó una falla en la implementación de la curva elíptica FourQ de CIRCL. Esta vulnerabilidad permite a un atacante comprometer la seguridad de la sesión mediante la inyección de puntos de orden inferior y una validación incorrecta de puntos durante el intercambio de c... • https://access.redhat.com/security/cve/CVE-2025-8556 • CWE-347: Improper Verification of Cryptographic Signature •
CVSS: 5.9EPSS: 0%CPEs: 3EXPL: 0CVE-2025-6193 – Trustyai-explainability: command injection via lmevaljob cr
https://notcve.org/view.php?id=CVE-2025-6193
20 Jun 2025 — A command injection vulnerability was discovered in the TrustyAI Explainability toolkit. Arbitrary commands placed in certain fields of a LMEValJob custom resource (CR) may be executed in the LMEvalJob pod's terminal. This issue can be exploited via a maliciously crafted LMEvalJob by a user with permissions to deploy a CR. • https://access.redhat.com/security/cve/CVE-2025-6193 • CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') •
CVSS: 5.5EPSS: 0%CPEs: 45EXPL: 0CVE-2024-11831 – Npm-serialize-javascript: cross-site scripting (xss) in serialize-javascript
https://notcve.org/view.php?id=CVE-2024-11831
10 Feb 2025 — A flaw was found in npm-serialize-javascript. The vulnerability occurs because the serialize-javascript module does not properly sanitize certain inputs, such as regex or other JavaScript object types, allowing an attacker to inject malicious code. This code could be executed when deserialized by a web browser, causing Cross-site scripting (XSS) attacks. This issue is critical in environments where serialized data is sent to web clients, potentially compromising the security of the website or web applicatio... • https://access.redhat.com/security/cve/CVE-2024-11831 • CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') •
CVSS: 7.4EPSS: 0%CPEs: 13EXPL: 0CVE-2024-10963 – Pam: improper hostname interpretation in pam_access leads to access control bypass
https://notcve.org/view.php?id=CVE-2024-10963
07 Nov 2024 — A vulnerability was found in pam_access due to the improper handling of tokens in access.conf, interpreted as hostnames. This flaw allows attackers to bypass access restrictions by spoofing hostnames, undermining configurations designed to limit access to specific TTYs or services. The flaw poses a risk in environments relying on these configurations for local access control. A flaw was found in pam_access, where certain rules in its configuration file are mistakenly treated as hostnames. This vulnerability... • https://access.redhat.com/security/cve/CVE-2024-10963 • CWE-287: Improper Authentication •
CVSS: 9.0EPSS: 0%CPEs: 4EXPL: 0CVE-2024-7557 – Odh-dashboard: odh-model-controller: cross-model authentication bypass in openshift ai
https://notcve.org/view.php?id=CVE-2024-7557
08 Aug 2024 — A vulnerability was found in OpenShift AI that allows for authentication bypass and privilege escalation across models within the same namespace. When deploying AI models, the UI provides the option to protect models with authentication. However, credentials from one model can be used to access other models and APIs within the same namespace. The exposed ServiceAccount tokens, visible in the UI, can be utilized with oc --token={token} to exploit the elevated view privileges associated with the ServiceAccoun... • https://access.redhat.com/security/cve/CVE-2024-7557 • CWE-284: Improper Access Control •