Updated at UTC 2025-10-14T20:13:37.076274

Access data as JSON


CVE CVSS Git URL Published Description
CVE-2025-62366 - https://github.com/eladnava/mailgen/commit/7279a983481d05c51aa451e86146f98aaa42fee9 2025-10-14T16:15:42.170 mailgen is a Node.js package that generates responsive HTML e-mails for sending transactional mail. Mailgen versions through 2.0.30 contain an HTML injection vulnerability in plaintext emails produced by the generatePlaintext method when user‑generated content is supplied. The function attempts to remove HTML tags, but if tags are provided as encoded HTML entities they are not removed and are later decoded, resulting in active HTML (for example an img tag with an event handler) in the supposed plaintext output. In contexts where the generated plaintext string is subsequently rendered as HTML, this can allow execution of attacker‑controlled JavaScript. Versions 2.0.31 and later contain a fix. No known workarounds exist.
CVE-2025-62174 3.5 https://github.com/mastodon/mastodon/commit/1631fb80e8029d2c5425a03a2297b93f7e225217 2025-10-13T21:15:34.770 Mastodon is a free, open-source social network server based on ActivityPub. In Mastodon before 4.4.6, 4.3.14, and 4.2.27, when an administrator resets a user account's password via the command-line interface using `bin/tootctl accounts modify --reset-password`, active sessions and access tokens for that account are not revoked. This allows an attacker with access to a previously compromised session or token to continue using the account after the password has been reset. This issue has been patched in versions 4.2.27, 4.3.14, and 4.4.6. No known workarounds exist.
CVE-2025-62170 7.5 https://github.com/rathena/rathena/commit/af2f3ba33fc03dc6dd510f8cfe84cd9185af748d 2025-10-13T18:15:34.980 rAthena is an open-source cross-platform MMORPG server. A use-after-free vulnerability exists in the RODEX functionality of rAthena's map-server in versions prior to commit af2f3ba. An unauthenticated attacker can exploit this vulnerability via a specific attacking scenario to cause a denial of service by crashing the map-server. This issue has been patched in commit af2f3ba. There are no known workarounds aside from manually applying the patch.