Xavlimsg

**Name of the Vulnerable Software and Affected Versions** Keycloak (affected versions not specified) **Description** A broken access control issue exists in the Account Resources user lookup endpoint. A remote authenticated user who owns at least one User-Managed Access (UMA) resource can enumerate and harvest personally identifiable information (PII) for all realm users. By sending crafted requests with arbitrary usernames or email values to the endpoint, the system returns full profile objects for unrelated users, resulting in broad profile-level information disclosure. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Node.js versions 25.x **Description** A flaw in the Node.js Permission Model’s network enforcement allows Unix Domain Socket (UDS) server operations to proceed without the necessary permission checks. All other network paths correctly enforce these checks. Consequently, code running under `--permission` without `--allow-net` can create and expose local Inter-Process Communication (IPC) endpoints, enabling communication with other processes on the same host, bypassing the intended network restriction boundary. The `--allow-net` feature is currently experimental. **Recommendations** For Node.js version 25.x, avoid running processes under `--permission` without including the `--allow-net` flag to restrict network access.

**Name of the Vulnerable Software and Affected Versions** MiCode FileExplorer (affected versions not specified) **Description** The software contains an authentication bypass in the embedded SwiFTP FTP server component. This allows network attackers to log in without valid credentials by sending arbitrary username and password combinations to the `PASS` command handler, which unconditionally grants access. Successful exploitation allows attackers to list, read, write, and delete files exposed by the FTP server. The MiCode/Explorer open source project has reached end-of-life status. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** VideoLAN VLC for Android versions prior to 3.7.0 **Description** The Remote Access Server feature in VideoLAN VLC for Android has an authentication bypass due to inadequate rate limiting on one-time password (OTP) verification. The server utilizes a 4-digit OTP but lacks effective throttling or lockout mechanisms during the OTP validity period. An attacker with network access can repeatedly attempt OTP verification to obtain a valid `user session` cookie, leading to unauthorized access to the Remote Access interface. Access is limited to media files shared by the VLC for Android user through the interface. The affected API endpoint is not explicitly mentioned. **Recommendations** Update VideoLAN VLC for Android to version 3.7.0 or later.

**Name of the Vulnerable Software and Affected Versions** jishi node-sonos-http-api versions prior to 3776f0ee2261c924c7b7204de121a38100a08ca7 **Description** A flaw exists in jishi node-sonos-http-api that could allow for remote execution of operating system commands. The issue is related to the manipulation of the `phrase` argument within the `Promise` function located in the `lib/tts-providers/mac-os.js` file of the TTS Provider component. The exploit for this issue has been publicly released. **Recommendations** Update jishi node-sonos-http-api to a version later than 3776f0ee2261c924c7b7204de121a38100a08ca7.

**Name of the Vulnerable Software and Affected Versions** Galaxy FDS Android SDK (XiaoMi/galaxy-fds-sdk-android) versions prior to 3.0.9 **Description** The Galaxy FDS Android SDK disables TLS hostname verification when HTTPS is enabled by default. Specifically, the `createHttpClient()` function within the `GalaxyFDSClientImpl` class configures Apache HttpClient with `SSLSocketFactory.ALLOW ALL HOSTNAME VERIFIER`, accepting any TLS certificate regardless of hostname mismatch. This allows a man-in-the-middle attacker to intercept and modify communications to Xiaomi FDS cloud storage endpoints, potentially exposing authentication credentials, file contents, and API responses. The XiaoMi/galaxy-fds-sdk-android open source project has reached end-of-life status. **Recommendations** Versions prior to 3.0.9 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** DNSdist (affected versions not specified) **Description** An attacker may be able to cause DNSdist to allocate excessive memory when handling DNS over QUIC or DNS over HTTP/3 payloads, potentially leading to a denial of service. In some scenarios, the system might experience an out-of-memory condition and terminate the process. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.