Common Vulnerabilities and Exposures (CVE)

CVE-2025-59509

Dec 9, 2025 22:38:34 UTC

Insertion of sensitive information into sent data in Windows Speech allows an authorized attacker to disclose information locally.

CVE-2025-59508

Dec 9, 2025 22:38:33 UTC

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.

CVE-2025-59507

Dec 9, 2025 22:38:32 UTC

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows Speech allows an authorized attacker to elevate privileges locally.

CVE-2025-59506

Dec 9, 2025 22:38:32 UTC

Concurrent execution using shared resource with improper synchronization ('race condition') in Windows DirectX allows an authorized attacker to elevate privileges locally.

CVE-2025-59505

Dec 9, 2025 22:38:31 UTC

Double free in Windows Smart Card allows an authorized attacker to elevate privileges locally.

CVE-2025-59504

Dec 9, 2025 22:38:30 UTC

Heap-based buffer overflow in Azure Monitor Agent allows an unauthorized attacker to execute code locally.

CVE-2025-64656

Dec 9, 2025 22:38:29 UTC

Out-of-bounds read in Application Gateway allows an unauthorized attacker to elevate privileges over a network.

CVE-2025-49178

Dec 9, 2025 22:31:17 UTC

A flaw was found in the X server's request handling. Non-zero 'bytes to ignore' in a client's request can cause the server to skip processing another client's request, potentially leading to a denial of service.

CVE-2025-49180

Dec 9, 2025 22:31:09 UTC

A flaw was found in the RandR extension, where the RRChangeProviderProperty function does not properly validate input. This issue leads to an integer overflow when computing the total size to allocate.

CVE-2025-49179

Dec 9, 2025 22:31:08 UTC

A flaw was found in the X Record extension. The RecordSanityCheckRegisterClients function does not check for an integer overflow when computing request length, which allows a client to bypass length checks.

CVE-2025-49177

Dec 9, 2025 22:31:01 UTC

A flaw was found in the XFIXES extension. The XFixesSetClientDisconnectMode handler does not validate the request length, allowing a client to read unintended memory from previous requests.

CVE-2025-59089

Dec 9, 2025 22:26:42 UTC

If an attacker causes kdcproxy to connect to an attacker-controlled KDC server (e.g. through server-side request forgery), they can exploit the fact that kdcproxy does not enforce bounds on TCP response length to conduct a denial-of-service...

CVE-2025-59088

Dec 9, 2025 22:26:38 UTC

If kdcproxy receives a request for a realm which does not have server addresses defined in its configuration, by default, it will query SRV records in the DNS zone matching the requested realm name. This creates a server-side request forger...

CVE-2025-63012

Dec 9, 2025 21:52:25 UTC

Cross-Site Request Forgery (CSRF) vulnerability in ThimPress WP Hotel Booking wp-hotel-booking allows Cross Site Request Forgery.This issue affects WP Hotel Booking: from n/a through <= 2.2.7.

CVE-2025-67587

Dec 9, 2025 21:45:02 UTC

URL Redirection to Untrusted Site ('Open Redirect') vulnerability in CRM Perks WP Gravity Forms FreshDesk Plugin gf-freshdesk allows Phishing.This issue affects WP Gravity Forms FreshDesk Plugin: from n/a through <= 1.3.5.