CVE-2025-22954 – Koha SQL Injection Vulnerability

A vulnerability has been detected in GetLateOrMissingIssues, a component of the Koha library management system before version 24.11.02. Attackers can perform an SQL injection through the supplierid or serialid parameters in the /serials/lateissues-export.pl script. This flaw carries a critical severity rating of 10.0, representing a substantial risk to systems still using vulnerable versions.

CVE-2025-27407 – GraphQL-ruby Remote Code Execution Vulnerability

The ruby implementation of GraphQL, graphql-ruby, has been found vulnerable to remote code execution. For versions starting from 1.11.5 up to specified patched versions (including 1.11.8, 1.12.25, 1.13.24, 2.0.32, 2.1.14, 2.2.17, and 2.3.21), malicious schema definitions loaded via GraphQL::Schema.from_introspection or GraphQL::Schema::Loader.load could enable attackers to execute arbitrary code. With a severity of 9.0, the issue highlights the importance of sourcing schemas only from trusted locations.

CVE-2025-25711 – Apache tNexus Airport View Privilege Escalation Vulnerability

In the Apache tNexus Airport View version 2.8, a potential escalation of privileges exists via the ProfileID parameter through the /tnexus/rest/admin/updateUser API endpoint. This vulnerability has been assigned a high severity rating of 8.8, underlining the need for prompt updates and secure configurations.

CVE-2025-20146 – Cisco ASR Series IPv4 Multicast Denial of Service Vulnerability

A flaw in the handling of malformed IPv4 multicast packets in Cisco IOS XR Software affecting the ASR 9000 Series, ASR 9902, and ASR 9903 routers has been exposed. This vulnerability may allow remote, unauthenticated attackers to induce a line card reset, resulting in a denial of service condition. The critical intricacy of the issue is reflected in its severity score of 8.6.

CVE-2025-20142 – Cisco ASR Series IPv4 ACL and QoS Policy Remote Denial of Service Vulnerability

Similar to other vulnerabilities in the Cisco ASR series, this flaw targets the IPv4 access control list (ACL) and quality of service (QoS) policy mechanisms. By sending crafted IPv4 packets, an unauthenticated remote attacker may force a line card to reset or trigger network processor errors, resulting in service disruptions. With a high severity rating of 8.6, this vulnerability significantly impacts both Layer 2 VPN and certain Layer 3 configurations.

CVE-2025-20138 – Cisco IOS XR CLI Command Injection Vulnerability

This flaw in the command line interface of Cisco IOS XR Software could allow a low-privileged, local attacker to execute arbitrary commands as root. Insufficient validation of command arguments opens the door for privilege escalation. Rated as 8.8 on the severity scale, this vulnerability emphasises the risks associated with insecure input validation.

CVE-2025-20115 – Cisco IOS XR BGP Confederation Denial of Service Vulnerability

A memory corruption vulnerability in the BGP confederation implementation within Cisco IOS XR Software could be exploited by an unauthenticated remote attacker. By sending a BGP update message with an AS_CONFED_SEQUENCE attribute containing 255 autonomous systems, the attacker may cause the BGP process to restart, triggering a denial of service. This issue carries a severity rating of 8.6.

CVE-2025-1960 – WebHMI Default Credential Injection Vulnerability

A critical vulnerability exists in systems running WebHMI when default credentials are not changed upon initial setup. Owing to incorrect display of the default username in the interface, attackers could exploit this oversight to execute unauthorised commands. With an alarming severity rating of 9.8, this vulnerability highlights the risks inherent in using default configurations.