Vulnerabilities

In JetBrains TeamCity before 2025.11 reflected XSS was possible on VCS Root setup

In JetBrains TeamCity before 2025.11 port enumeration was possible via the Perforce connection test

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> usb: gadget: udc: fix use-after-free in usb_gadget_state_work<br /> <br /> A race condition during gadget teardown can lead to a use-after-free<br /> in usb_gadget_state_work(), as reported by KASAN:<br /> <br /> BUG: KASAN: invalid-access in sysfs_notify+0x2c/0xd0<br /> Workqueue: events usb_gadget_state_work<br /> <br /> The fundamental race occurs because a concurrent event (e.g., an<br /> interrupt) can call usb_gadget_set_state() and schedule gadget-&gt;work<br /> at any time during the cleanup process in usb_del_gadget().<br /> <br /> Commit 399a45e5237c ("usb: gadget: core: flush gadget workqueue after<br /> device removal") attempted to fix this by moving flush_work() to after<br /> device_del(). However, this does not fully solve the race, as a new<br /> work item can still be scheduled *after* flush_work() completes but<br /> before the gadget&amp;#39;s memory is freed, leading to the same use-after-free.<br /> <br /> This patch fixes the race condition robustly by introducing a &amp;#39;teardown&amp;#39;<br /> flag and a &amp;#39;state_lock&amp;#39; spinlock to the usb_gadget struct. The flag is<br /> set during cleanup in usb_del_gadget() *before* calling flush_work() to<br /> prevent any new work from being scheduled once cleanup has commenced.<br /> The scheduling site, usb_gadget_set_state(), now checks this flag under<br /> the lock before queueing the work, thus safely closing the race window.

In JetBrains IntelliJ IDEA before 2025.3 missing confirmation allowed opening of untrusted remote projects over SSH

In JetBrains TeamCity before 2025.11 stored XSS was possible on agentpushInstall page

In JetBrains TeamCity before 2025.11 maven embedder allowed loading extensions via project configuration

HCL DevOps Deploy / HCL Launch is susceptible to a race condition in http-session client-IP binding enforcement which may allow a session to be briefly reused from a new IP address before it is invalidated. This could lead to unauthorized access under certain network conditions.

InvoicePlane commit debb446c is vulnerable to Incorrect Access Control. The invoices/view handler fails to verify ownership before returning invoice data.

When using the attachment interaction functionality, Canary Mail 5.1.40 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

When using the attachment interaction functionality, Blue Mail 1.140.103 and below saves documents to a file system without a Mark-of-the-Web tag, which allows attackers to bypass the built-in file protection mechanisms of both Windows OS and third-party software.

An issue was discovered in Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router on firmware version V1.0.0 does not implement rate limiting to /api/login allowing attackers to brute force password enumerations.

Exposure of Private Personal Information to an Unauthorized Actor vulnerability in RTI Connext Professional (Core Libraries) allows Sniffing Network Traffic.This issue affects Connext Professional: from 7.4.0 before 7.*, from 7.2.0 before 7.3.1.