{"vulnerability": "CVE-2025-5299", "sightings": [{"uuid": "71760337-e6d8-4999-9243-91616686ccac", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-5299", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lqalk2au7e2e", "content": "", "creation_timestamp": "2025-05-28T16:07:18.312480Z"}, {"uuid": "241def07-17a8-4c3e-809f-d8616bf7ee1c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "4f29edb9-4c4b-44ca-b041-9b050656b6ae", "vulnerability": "CVE-2025-52998", "type": "seen", "source": "https://bsky.app/profile/thehackerwire.bsky.social/post/3mg6hcjheki2s", "content": "", "creation_timestamp": "2026-03-03T19:00:27.370064Z"}, {"uuid": "beaa685a-bf8d-40f9-a70b-45792625dafb", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52996", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/19968", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-52996\n\ud83d\udd25 CVSS Score: 3.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N)\n\ud83d\udd39 Description: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. In versions 2.32.0 and prior, the implementation of password protected links is error-prone, resulting in potential unprotected sharing of a file through a direct download link. This link can either be shared unknowingly by a user or discovered from various locations such as the browser history or the log of a proxy server used. At time of publication, no known patched versions are available.\n\ud83d\udccf Published: 2025-06-30T19:58:33.484Z\n\ud83d\udccf Modified: 2025-06-30T19:58:33.484Z\n\ud83d\udd17 References:\n1. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-3v48-283x-f2w4\n2. https://github.com/filebrowser/filebrowser/issues/5239", "creation_timestamp": "2025-06-30T20:08:45.000000Z"}, {"uuid": "45ca4b0f-31c5-4584-bdf5-1d91ea3d8341", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52999", "type": "seen", "source": "https://t.me/DarkWebInformer_CVEAlerts/19492", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-52999\n\ud83d\udd25 CVSS Score: 8.7 (cvssV4_0, Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N)\n\ud83d\udd39 Description: jackson-core contains core low-level incremental (\"streaming\") parser and generator abstractions used by Jackson Data Processor. In versions prior to 2.15.0, if a user parses an input file and it has deeply nested data, Jackson could end up throwing a StackoverflowError if the depth is particularly large. jackson-core 2.15.0 contains a configurable limit for how deep Jackson will traverse in an input document, defaulting to an allowable depth of 1000. jackson-core will throw a StreamConstraintsException if the limit is reached. jackson-databind also benefits from this change because it uses jackson-core to parse JSON inputs. As a workaround, users should avoid parsing input files from untrusted sources.\n\ud83d\udccf Published: 2025-06-25T17:02:57.428Z\n\ud83d\udccf Modified: 2025-06-25T17:02:57.428Z\n\ud83d\udd17 References:\n1. https://github.com/FasterXML/jackson-core/security/advisories/GHSA-h46c-h94j-95f3\n2. https://github.com/FasterXML/jackson-core/pull/943", "creation_timestamp": "2025-06-25T18:06:23.000000Z"}, {"uuid": "f7fa3bac-3981-4754-b0a3-40c01bec999c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52995", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lsu3lhwn5z2i", "content": "", "creation_timestamp": "2025-06-30T21:05:24.277301Z"}, {"uuid": "2e2f7bf3-f778-4bf9-9953-b3fc7a7d1d57", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52997", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lsu45eu47z2p", "content": "", "creation_timestamp": "2025-06-30T21:15:24.981626Z"}, {"uuid": "9a7360d6-37c1-44c2-a787-4f6990d52d33", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52996", "type": "seen", "source": "https://bsky.app/profile/cve.skyfleet.blue/post/3lsu4pbqu5f2o", "content": "", "creation_timestamp": "2025-06-30T21:25:25.531383Z"}, {"uuid": "d1137974-7ed7-4798-ac27-139fdadd7eec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-5299", "type": "seen", "source": "https://bsky.app/profile/2rZiKKbOU3nTafniR2qMMSE0gwZ.activitypub.awakari.com.ap.brid.gy/post/3lqaiu6e5myt2", "content": "", "creation_timestamp": "2025-05-28T15:22:25.307975Z"}, {"uuid": "f0abb317-d026-4d8e-9acd-53f667d27903", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52999", "type": "seen", "source": "https://vulnerability.circl.lu/bundle/bbcbc485-b88d-4831-b8e9-6e37e7bd9875", "content": "", "creation_timestamp": "2026-01-21T21:18:16.771453Z"}, {"uuid": "caad9220-61c1-4578-a548-947971f71137", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52995", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/19969", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-52995\n\ud83d\udd25 CVSS Score: 8.1 (cvssV3_1, Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H)\n\ud83d\udd39 Description: File Browser provides a file managing interface within a specified directory and it can be used to upload, delete, preview, rename and edit files. Prior to version 2.33.10, the implementation of the allowlist is erroneous, allowing a user to execute more shell commands than they are authorized for. The concrete impact of this vulnerability depends on the commands configured, and the binaries installed on the server or in the container image. Due to the missing separation of scopes on the OS-level, this could give an attacker access to all files managed the application, including the File Browser database. This issue has been patched in version 2.33.10.\n\ud83d\udccf Published: 2025-06-30T19:57:52.307Z\n\ud83d\udccf Modified: 2025-06-30T19:57:52.307Z\n\ud83d\udd17 References:\n1. https://github.com/filebrowser/filebrowser/security/advisories/GHSA-w7qc-6grj-w7r8\n2. https://github.com/filebrowser/filebrowser/commit/4d830f707fc4314741fd431e70c2ce50cd5a3108\n3. https://github.com/filebrowser/filebrowser/releases/tag/v2.33.10", "creation_timestamp": "2025-06-30T20:08:47.000000Z"}, {"uuid": "84203d3e-a76a-496f-96db-a2fc851fc67f", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "2a075640-a300-48a4-bb44-bc6130783b9b", "vulnerability": "CVE-2025-52991", "type": "published-proof-of-concept", "source": "https://t.me/DarkWebInformer_CVEAlerts/19741", "content": "\ud83d\udd17 DarkWebInformer.com - Cyber Threat Intelligence\n\ud83d\udccc CVE ID: CVE-2025-52991\n\ud83d\udd25 CVSS Score: 3.2 (cvssV3_1, Vector: CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N)\n\ud83d\udd39 Description: The Nix, Lix, and Guix package managers default to using temporary build directories in a world-readable and world-writable location. This allows standard users to deceive the package manager into using directories with pre-existing content, potentially leading to unauthorized actions or data manipulation. This affects Nix before 2.24.15, 2.26.4, 2.28.4, and 2.29.1; Lix before 2.91.2, 2.92.2, and 2.93.1; and Guix before 1.4.0-38.0e79d5b.\n\ud83d\udccf Published: 2025-06-27T00:00:00.000Z\n\ud83d\udccf Modified: 2025-06-27T15:46:39.932Z\n\ud83d\udd17 References:\n1. https://discourse.nixos.org/t/security-advisory-privilege-escalations-in-nix-lix-and-guix/66017\n2. https://lix.systems/blog/2025-06-24-lix-cves/\n3. https://guix.gnu.org/en/blog/2025/privilege-escalation-vulnerabilities-2025/\n4. https://security.snyk.io/vuln/?search=CVE-2025-52991\n5. https://security-tracker.debian.org/tracker/CVE-2025-52991\n6. https://labs.snyk.io", "creation_timestamp": "2025-06-27T15:53:19.000000Z"}]}