Here are the CVE updates for the week of April 21st through the 27th.
CRITICAL SEVERITY VULNERABILITIES
Command Injection Vulnerability in YoutubeDLSharp on Windows | CVE-2025-43858
Description: A command injection flaw affects YoutubeDLSharp versions 1.0.0-beta4 through 1.1.1 on Windows systems. The vulnerability stems from unsafe argument handling when invoking yt-dlp with the UseWindowsEncodingWorkaround flag set to true (the default). Attackers can exploit this behavior to execute arbitrary commands via the Windows command prompt, especially when built-in methods from YoutubeDL.cs are used. The issue has been resolved in version 1.1.2.
Potential Impacts:
- Remote Code Execution (RCE): Malicious commands could be executed on the system, potentially compromising its integrity.
- Privilege Escalation: Exploits could run with the same permissions as the application, allowing further lateral movement.
- System Compromise: Attackers may install malware, access sensitive data, or disrupt system operations.
Mitigation Recommendations:
- Upgrade to Version 1.1.2 or Later: This version includes the patch for the command injection vulnerability.
- Avoid Using Built-In Methods with Defaults: Until upgraded, avoid using default configurations that implicitly enable UseWindowsEncodingWorkaround.
- Sanitize Input: Validate and sanitize any input passed to the wrapper functions, especially those coming from untrusted sources.
- Restrict Application Privileges: Run the application with the least privileges necessary to limit the impact of potential exploitation.
- Monitor for Exploitation: Log and monitor traffic to/from network cameras for suspicious HTTP requests targeting /cgi-bin/admin/testserver.cgi.
Improper Authorization Controls in Meon Bidding Solutions API | CVE-2025-42605
Description: Meon Bidding Solutions contains a vulnerability due to insufficient authorization enforcement on certain API endpoints. This flaw allows authenticated remote attackers to modify API request parameters and manipulate data from other user accounts. The lack of proper user permission validation before performing sensitive actions can lead to unauthorized account access and data tampering.
Potential Impacts:
- Account Takeover: Attackers can gain unauthorized access to other user accounts.
- Data Manipulation: Unauthorized modifications or cancellations of operations tied to other users.
- Integrity Loss: Compromised trust and integrity of the bidding system.
- Regulatory and Legal Risk: Potential violation of data protection laws due to unauthorized data access.
Mitigation Recommendations:
- Implement Proper Authorization Checks: Enforce strict access controls to verify user privileges before processing sensitive API requests.
- Apply Security Updates: Patch the application with updates that address this vulnerability.
- Monitor API Usage: Set up logging and anomaly detection for abnormal access patterns across user accounts.
- Rate Limiting and Throttling: Prevent abuse of API endpoints by applying rate limits.
- Conduct Security Testing: Perform regular authorization and access control assessments on all API endpoints.
HIGH SEVERITY VULNERABILITIES
User-Agent Header XSS Leading to Remote Code Execution in Arista NG Firewall | CVE-2025-2767: A critical XSS vulnerability in Arista NG Firewall enables remote code execution via improper input handling in the User-Agent HTTP header. Due to insufficient validation, attackers can inject malicious scripts that execute with root privileges after minimal user interaction. The flaw is tracked as ZDI-CAN-24407 and poses a significant security risk.
Uninitialized Pointer in PVS File Parsing Leading to Remote Code Execution in Luxion KeyShot | CVE-2025-1047: A vulnerability in Luxion KeyShot allows remote code execution due to an uninitialized pointer during the parsing of .pvs files. Attackers can exploit this by delivering a specially crafted .pvs file or luring users to a malicious site that triggers parsing. If successful, arbitrary code may be executed under the current user’s privileges. This flaw is tracked as ZDI-CAN-23694.
Content Spoofing Vulnerability in RosarioSIS Theme Configuration | CVE-2025-29621: A vulnerability in RosarioSIS v12.0.0’s “My Preferences” module allows attackers to inject crafted content into the theme configuration due to improper validation of user-supplied settings. This flaw enables malicious users to spoof application interfaces or modify key settings, potentially altering how the system appears or behaves for other users.
Insufficient Session Expiration Vulnerability in ALBEDO Telecom Net.Time | CVE-2025-2185 : ALBEDO Telecom Net.Time – PTP/NTP clock (Serial No. NBC0081P) software release 1.4.4 is affected by an insufficient session expiration vulnerability. This issue could allow attackers to exploit active sessions where passwords and sensitive information are transmitted over unencrypted connections. Consequently, the device may become vulnerable to interception attacks, exposing critical credentials and potentially compromising system security.
MEDIUM SEVERITY VULNERABILITIES
Denial of Service Vulnerability in Cray Operating System Kernel | CVE-2025-27087: A flaw in the kernel of the Cray Operating System (COS) allows a local attacker with access to the system to trigger a denial of service (DoS) condition. By exploiting improper handling of specific kernel operations, the attacker can cause the system to crash or hang, disrupting all services running on the affected host.
Multiple SQL Injection Vulnerabilities in EasyVirt DCScope and CO2Scope | CVE-2025-28076: EasyVirt DCScope versions up to 8.6.4 and CO2Scope versions up to 1.3.4 are affected by multiple SQL injection vulnerabilities. Remote authenticated attackers can exploit various parameters, including timeago, user, filter, target, and numerous p1–p20 and ID, NAME, CPUTHREADNB, RAMCAP, and DISKCAP fields, in API endpoints such as /api/management/updateihmsettings and /api/capaplan/savetemplates. Successful exploitation could allow attackers to execute arbitrary SQL commands, potentially leading to full database compromise.