VulniPulse uses Google Ads measurement to understand visits from advertisements and campaign performance. It runs cookie-free until you choose — accepting enables cookies for more accurate attribution. Rejecting keeps it cookie-free and never limits the site.
See exactly what is measuredComplete feed
1776 advisories across 32 monitored vendors.
Spring Data REST is vulnerable to SpEL expression injection through map-typed properties when processing JSON Patch (application/json-patch+json) requests. When a persistent entity exposes a Map-typed property, the JSON Pointer path segment used as the map key is embedded directly into a SpEL expression without sanitization or validation. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Data REST's JSON Patch (application/json-patch+json) implementation does not apply the write-access filter to intermediate path segments when resolving a multi-segment JSON Pointer. Affected versions: Spring Data REST 3.7.0 through 3.7.19; 4.3.0 through 4.3.16; 4.4.0 through 4.4.14; 4.5.0 through 4.5.11; 5.0.0 through 5.0.5.
Spring Data MongoDB contains a SpEL (Spring Expression Language) expression injection vulnerability. The issue occurs during parameter binding when a user-defined repository query method is annotated with @Query and utilizes a capture-all placeholder. Affected versions: Spring Data MongoDB 5.0.0 through 5.0.5; 4.5.0 through 4.5.11; 4.4.0 through 4.4.14; 4.3.0 through 4.3.16; 4.2.0 through 4.2.15; 4.1.0 through 4.1.14; 4.0.0 through 4.0.15; 3.4.0 through 3.4.19.
Spring Data's internal property-lookup cache accepts and permanently retains attacker-supplied strings as cache keys, allowing heap exhaustion through repeated requests. Affected versions: Spring Data Commons 2.7.0 through 2.7.19; 3.3.0 through 3.3.16; 3.4.0 through 3.4.14; 3.5.0 through 3.5.11; 4.0.0 through 4.0.5.
Spring Data Commons applications may be vulnerable to denial of service through resource exhaustion when attacker-controlled property path strings are passed to MappingContext property path resolution. Affected versions: Spring Data Commons 4.0.0 through 4.0.5; 3.5.0 through 3.5.11; 3.4.0 through 3.4.14.
An attacker able to influence values in RelyingPartyRegistration may be able to run arbitrary code on HTML forms generated by Spring Security filters. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
An attacker with write permissions to the database table managed by JdbcAssertingPartyMetadataRepository (saml2_asserting_party_metadata) may be able to store malicious serialized payloads in the columns containing the collection of verification or encryption credentials (verification_credentials and encryption_credentials, respectively). Affected versions: Spring Security 7.0.0 through 7.0.5.
An application using spring-security-saml2-service-provider and the REDIRECT binding for SAML 2.0 Login or Logout may be vulnerable to a denial of service by way of an unbounded writer that inflates the compressed SAML payload into memory. Affected versions: Spring Security 5.7.0 through 5.7.23; 5.8.0 through 5.8.25; 6.3.0 through 6.3.16; 6.4.0 through 6.4.16; 6.5.0 through 6.5.10; 7.0.0 through 7.0.5.
The default HTTP/2 protocol configuration in certain web servers, such as Apache HTTP Server, allows a remote Denial of Service (DoS). This vulnerability is known as HTTP/2 Bomb. Successful exploitation of this vulnerability could lead to disclosure of sensitive information, addition or modification of data, or Denial of Service (DoS). Affected products: Management Services for Element Software and NetApp HCI. NetApp reports that one or more additional products remain under investigation; review the canonical advisory for current status. NetApp states there is no workaround available at this time.
Omnissa Workspace ONE® Assist for macOS contains a Local Privilege Escalation Vulnerability.
Use after free in Microsoft Office allows an unauthorized attacker to execute code locally. Affected products named by the advisory: Microsoft SharePoint Enterprise Server 2016; Microsoft SharePoint Server 2019; Microsoft SharePoint Server Subscription Edition.
Access of resource using incompatible type ('type confusion') in Microsoft Office allows an unauthorized attacker to execute code locally. Affected products named by the advisory: Microsoft SharePoint Enterprise Server 2016; Microsoft SharePoint Server 2019; Microsoft SharePoint Server Subscription Edition.
Untrusted pointer dereference in Microsoft Office Word allows an unauthorized attacker to execute code locally. Affected products named by the advisory: Microsoft SharePoint Enterprise Server 2016; Microsoft SharePoint Server 2019; Microsoft SharePoint Server Subscription Edition.
An OS command injection vulnerability in Ivanti EPMM before 12.9.0.1, 12.8.0.3 and 12.7.0.2 versions allows a remote authenticated attacker to execute arbitrary commands as root
Ivanti releases standard security patches on the second Tuesday of every month. In today’s rapidly evolving technology and threat landscape, we believe responsible transparency should be a cornerstone of any product security program. AI is compressing the time-to-exploit, and Ivanti uses leading technologies to proactively find and fix issues ––including integrating advanced LLMs into our Engineering and product security to enhance the capabilities of our teams. Our philosophy is simple: discovering and communicating vulnerabilities, and sharing that information with defenders, is not an indication of weakness; rather it is evidence of rigorous scrutiny and a proactive vulnerability management program. By aggressively seeking to identify and address vulnerabilities, our aim is to get ahead of threat actors to ensure our customers can take the steps needed to protect their environments. To that end, today Ivanti is disclosing vulnerabilities in Ivanti Endpoint Manager Mobile (EPMM) and Ivanti Sentry. It is important for customers to know: We have no evidence of these vulnerabilities being exploited in the wild. These vulnerabilities do not impact any other Ivanti solutions.
Windows DNS Client Elevation of Privilege Vulnerability Affected products named by the advisory: Windows Server 2019; Windows Server 2022; Windows Server 2025; Windows Server 2016; and 2 more. Affected products named by the advisory: Windows Server 2012 R2.
Windows Universal Disk Format File System Driver (UDFS) Elevation of Privilege Vulnerability Affected products named by the advisory: Windows Server 2022; Windows Server 2019; Windows Server 2025; Windows Server 2016; and 2 more. Affected products named by the advisory: Windows Server 2012 R2.
Windows Device Health Attestation (DHA) Elevation of Privilege Vulnerability Affected products named by the advisory: Windows Server 2019; Windows Server 2022; Windows Server 2025; Windows Server 2016.
Windows Program Compatibility Assistant Service Elevation of Privilege Vulnerability Affected products named by the advisory: Windows Server 2022; Windows Server 2025.
Microsoft Exchange Server Information Disclosure Vulnerability Affected products named by the advisory: Microsoft Exchange Server 2016 Cumulative Update 23; Microsoft Exchange Server Subscription Edition RTM; Microsoft Exchange Server 2019 Cumulative Update 15; Microsoft Exchange Server 2019 Cumulative Update 14.