Here are the CVE updates for the week of June 16th through the 22nd.
🔴 Critical Severity Vulnerabilities
OS Command Injection in WeGIA Web Manager | CVE-2025-50201
Description:
A critical OS command injection vulnerability affected WeGIA, a web management platform for charitable institutions, in versions prior to 3.4.2. The flaw occurred in the /html/configuracao/debug_info.php endpoint, where the branch parameter was not properly sanitized before execution in a shell command. As a result, unauthenticated remote attackers could execute arbitrary commands on the server using the web server’s privileges. Fortunately, the developers addressed this issue in version 3.4.2.
Potential Impacts:
- Remote Code Execution: Attackers can run shell commands on the server.
- System Compromise: Hackers may deploy malware, steal data, or alter functionality.
- Privilege Abuse: Web server rights could be leveraged for deeper system access.
- Denial of Service: Executed commands may crash services or disrupt normal server operations.
Mitigation Recommendations:
- Update immediately: Install WeGIA version 3.4.2 or later.
- Sanitize Input: Validate all user inputs used in backend operations.
- Restrict Web Access: Protect configuration endpoints behind authentication.
- Monitor Server Logs: Check logs frequently for unusual activity.
Secret Exfiltration Vulnerability in pgai Python Library | CVE-2025-52467
Description:
The pgai Python library, widely used in Retrieval-Augmented Generation (RAG) applications, contained a critical flaw before commit 8eb3567. During workflow execution, attackers could extract secrets such as GITHUB_TOKEN. With this token, a malicious actor could alter code, tamper with releases, or take over repositories. Thankfully, the developers resolved the vulnerability in commit 8eb3567.
Potential Impacts:
- Repository Compromise: Hackers might gain full write access.
- Secret Leakage: Sensitive tokens like
GITHUB_TOKENcould be exposed. - Supply Chain Risk: Compromised releases may affect downstream users.
- Loss of trust: Users may unknowingly integrate malicious packages.
Mitigation Recommendations:
- Update to Latest Commit: Use
8eb3567or newer. - Rotate Exposed Secrets: Revoke old tokens and issue new ones.
- Audit Workflows: Check pipelines for unsafe secret handling.
- Enable Secret Scanning: Use built-in or third-party tools.
- Limit Token Permissions: Apply the principle of least privilege.
🟠 High Severity Vulnerabilities
TP-Link Routers – Command Injection (CISA KEV)| CVE-2023-33538
Several TP-Link router models (TL-WR940N, TL-WR841N, TL-WR740N) contained a command injection vulnerability in /userRpm/WlanNetworkRpm. Attackers could inject and execute arbitrary system commands due to unvalidated input, which may result in full device compromise.
Linux Kernel – Privilege Escalation via OverlayFS | CVE-2023-0386
OverlayFS in the Linux kernel mishandled UID validation during file operations. As a result, local attackers could retain capabilities, potentially allowing them to gain unauthorized root access.
Cloudflare quiche – Congestion Window Flaw | CVE-2025-4821
A vulnerability in Cloudflare’s quiche implementation of QUIC allowed attackers to manipulate congestion control by sending fake ACK frames. This could lead to application instability and has been addressed in version 0.24.4.
D-Link DIR-815 – Stack-Based Buffer Overflow | CVE-2025-6328
In D-Link DIR-815 firmware version 1.01, a buffer overflow vulnerability in hedwig.cgi could be triggered using crafted requests. As a result, remote attackers might execute arbitrary code with elevated privileges. A public exploit already exists.
Backup Configuration – Privilege Abuse | CVE-2025-24286
Users with the Backup Operator role were able to alter backup job configurations to include executable code. Without sufficient monitoring, this could result in arbitrary code execution during scheduled backups.
🟡 Medium Severity Vulnerabilities
Apple Products – iCloud Link Vulnerability | CVE-2025-43200
A logic flaw in iCloud Links impacted multiple Apple platforms. By sharing manipulated media via iCloud Links, attackers could trigger app misbehavior. Apple released patches across macOS, iOS, iPadOS, visionOS, and watchOS platforms to resolve the issue.
PowSyBl – Regular Expression Denial of Service (ReDoS) | CVE-2025-48058
Prior to version 6.7.2, PowSyBl’s DataSource suffered from inefficient regex handling, leading to ReDoS when crafted input triggered excessive backtracking. Version 6.7.2 of powsybl-commons addresses the vulnerability.