Tag: cve
-
nopCommerce Flaw Lets Attackers Access Accounts Using Captured Cookies
Security researchers have uncovered a serious vulnerability in nopCommerce, a popular open-source ecommerce platform used by major companies, including Microsoft, Volvo, and BMW. The flaw allows attackers to hijack user accounts by exploiting captured session cookies, even after legitimate users have logged out. Field Details CVE ID CVE-2025-11699 Vulnerability Title Insufficient Session Cookie Invalidation Platform…
-
Apache Struts Flaw Allows Attackers to Launch Disk Exhaustion Attacks
A new security flaw has been found in Apache Struts, a popular open”‘source web application framework used by many companies worldwide. The issue, tracked as CVE”‘2025″‘64775, could allow attackers to fill a server’s disk space, causing it to stop working correctly. Field Details CVE ID CVE-2025-64775 Vulnerability Title Apache Struts flaw allows attackers to launch disk…
-
Google Fixes Android Zero-Day Flaws Actively Exploited in the Wild
Google has released critical security patches addressing two high-severity zero-day vulnerabilities in Android that are currently being exploited in limited, targeted attacks. The vulnerabilities, disclosed in the December 2025 Android Security Bulletin, affect multiple Android versions and require immediate attention from device manufacturers and users. Active Exploitation Confirmed The two CVEs under active exploitation, CVE-2025-48633…
-
OpenAI Codex CLI Flaw Allows Attackers to Run Arbitrary Commands
OpenAI’s Codex CLI, a command-line tool designed to bring AI-powered reasoning into developer workflows, contains a critical vulnerability that allows attackers to execute arbitrary commands on developer machines without any user interaction or approval. Security researchers Isabel Mill and Oded Vanunu discovered the flaw, tracked as CVE-2025-61260, on December 1, 2025. Attribute Details CVE ID CVE-2025-61260…
-
OpenAI Codex CLI Flaw Allows Attackers to Run Arbitrary Commands
OpenAI’s Codex CLI, a command-line tool designed to bring AI-powered reasoning into developer workflows, contains a critical vulnerability that allows attackers to execute arbitrary commands on developer machines without any user interaction or approval. Security researchers Isabel Mill and Oded Vanunu discovered the flaw, tracked as CVE-2025-61260, on December 1, 2025. Attribute Details CVE ID CVE-2025-61260…
-
Google Fixes Android Zero-Day Flaws Actively Exploited in the Wild
Google has released critical security patches addressing two high-severity zero-day vulnerabilities in Android that are currently being exploited in limited, targeted attacks. The vulnerabilities, disclosed in the December 2025 Android Security Bulletin, affect multiple Android versions and require immediate attention from device manufacturers and users. Active Exploitation Confirmed The two CVEs under active exploitation, CVE-2025-48633…
-
âš¡ Weekly Recap: Hot CVEs, npm Worm Returns, Firefox RCE, M365 Email Raid & More
Hackers aren’t kicking down the door anymore. They just use the same tools we use every day, code packages, cloud accounts, email, chat, phones, and “trusted” partners, and turn them against us.One bad download can leak your keys. One weak vendor can expose many customers at once. One guest invite, one link on a phone,…
-
U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OpenPLC ScadaBR flaw, tracked as CVE-2021-26829 (CVSS score of 5.4), to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via system_settings.shtm.…
-
U.S. CISA adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog
U.S. Cybersecurity and Infrastructure Security Agency (CISA) adds an OpenPLC ScadaBR flaw to its Known Exploited Vulnerabilities catalog. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) added an OpenPLC ScadaBR flaw, tracked as CVE-2021-26829 (CVSS score of 5.4), to its Known Exploited Vulnerabilities (KEV) catalog. The vulnerability is a cross-site scripting (XSS) flaw that impacts Windows and Linux versions via system_settings.shtm.…
-
PoC Released for Outlook “MonikerLink” RCE Flaw Allowing Remote Code Execution
Security researchers have released a proof-of-concept (PoC) exploit for CVE-2024-21413, a critical remote code execution vulnerability in Microsoft Outlook dubbed >>MonikerLink.
-
CISA Adds Actively Exploited XSS Bug CVE-2021-26829 in OpenPLC ScadaBR to KEV
Tags: cisa, cve, cybersecurity, exploit, flaw, infrastructure, kev, linux, software, vulnerability, windows, xssThe U.S. Cybersecurity and Infrastructure Security Agency (CISA) has updated its Known Exploited Vulnerabilities (KEV) catalog to include a security flaw impacting OpenPLC ScadaBR, citing evidence of active exploitation.The vulnerability in question is CVE-2021-26829 (CVSS score: 5.4), a cross-site scripting (XSS) flaw that affects Windows and Linux versions of the software via First seen on…
-
Mystery OAST Tool Exploits 200 CVEs Using Google Cloud for Large-Scale Attacks
A sophisticated threat actor has been operating a private Out-of-band Application Security Testing (OAST) service hosted on Google Cloud infrastructure to conduct a large-scale exploit campaign targeting more than 200 CVEs, according to new research from VulnCheck. Private OAST Domain Raises Red Flags Security researchers at VulnCheck identified unusual activity involving callbacks to detectors-testing.com, an unfamiliar…
-
Windows-Schwachstelle CVE-2025-59287 wird für ShadowPad-Malware-Verteilung per WSUS genutzt
In Windows Server gab es eine mit einem CVSS Score von 9.8 bewertete kritische RCE-Schwachstelle CVE-2025-59287 im WSUS-Teil, mit dem sich die Systeme übernehmen lassen. Die Schwachstelle wurde im Oktober 2025 mit Sicherheitsupdates geschlossen. Nun gibt es Berichte, dass Angreifer … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/11/28/windows-schwachstelle-cve-2025-59287-wird-fuer-shadowpad-malware-verteilung-per-wsus-genutzt/
-
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks
A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
-
Apache SkyWalking Flaw Allows Attackers to Launch XSS Attacks
A recently discovered vulnerability in Apache SkyWalking, a popular application performance monitoring tool, could allow attackers to execute malicious scripts and launch cross-site scripting (XSS) attacks. The flaw, identified as CVE-2025-54057, affects all versions of SkyWalking up to 10.2.0. CVE ID Description Severity Affected Versions CVE-2025-54057 Stored XSS vulnerability in Apache SkyWalking Important Through 10.2.0…
-
NVIDIA DGX Spark Flaws Allow Attackers to Run Malicious Code and Launch DoS Attacks
NVIDIA has released security updates to address fourteen critical vulnerabilities in its DGX Spark system. These flaws could allow attackers to execute malicious code, steal sensitive information, and launch denial-of-service attacks that crash the system. The vulnerabilities affect all versions of NVIDIA DGX OS before the latest OTA0 update. CVE ID Severity CVSS Score Potential…
-
NVIDIA DGX Spark Flaws Allow Attackers to Run Malicious Code and Launch DoS Attacks
NVIDIA has released security updates to address fourteen critical vulnerabilities in its DGX Spark system. These flaws could allow attackers to execute malicious code, steal sensitive information, and launch denial-of-service attacks that crash the system. The vulnerabilities affect all versions of NVIDIA DGX OS before the latest OTA0 update. CVE ID Severity CVSS Score Potential…
-
New ASUS firmware patches critical AiCloud vulnerability
ASUS released new firmware to address multiple vulnerabilities, including a critical authentication bypass flaw in routers with AiCloud enabled. ASUS has issued new firmware addressing nine security vulnerabilities, including a critical authentication bypass, tracked as CVE-2025-59366 (CVSS score of 9.2), affecting routers with AiCloud enabled. >>Researchers have reported potential vulnerabilities in ASUS Router. ASUS has…
-
Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users
AI security firm AISLE revealed CVE-2025-13016, a critical Firefox Wasm bug that risked 180M users for six months. Learn how the memory flaw allowed code execution. First seen on hackread.com Jump to article: hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/
-
Fluent Bit vulnerabilities could enable full cloud takeover
Tags: backdoor, cloud, computing, container, cve, docker, flaw, malicious, open-source, remote-code-execution, vulnerabilityFile writes, container overflow, and full agent takeover: Oligo also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. CVE-2025-12972 targets the “out_file” output plugin. When Tag values are user-controlled, and no fixed File parameter is set, attackers can abuse the Tag value (e.g.,”../”) to cause path-traversal file writes…
-
Fluent Bit vulnerabilities could enable full cloud takeover
Tags: backdoor, cloud, computing, container, cve, docker, flaw, malicious, open-source, remote-code-execution, vulnerabilityFile writes, container overflow, and full agent takeover: Oligo also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. CVE-2025-12972 targets the “out_file” output plugin. When Tag values are user-controlled, and no fixed File parameter is set, attackers can abuse the Tag value (e.g.,”../”) to cause path-traversal file writes…
-
Fluent Bit vulnerabilities could enable full cloud takeover
Tags: backdoor, cloud, computing, container, cve, docker, flaw, malicious, open-source, remote-code-execution, vulnerabilityFile writes, container overflow, and full agent takeover: Oligo also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. CVE-2025-12972 targets the “out_file” output plugin. When Tag values are user-controlled, and no fixed File parameter is set, attackers can abuse the Tag value (e.g.,”../”) to cause path-traversal file writes…
-
Fluent Bit vulnerabilities could enable full cloud takeover
Tags: backdoor, cloud, computing, container, cve, docker, flaw, malicious, open-source, remote-code-execution, vulnerabilityFile writes, container overflow, and full agent takeover: Oligo also disclosed a chain of remote code execution (RCE) and path traversal vulnerabilities affecting the tool. CVE-2025-12972 targets the “out_file” output plugin. When Tag values are user-controlled, and no fixed File parameter is set, attackers can abuse the Tag value (e.g.,”../”) to cause path-traversal file writes…
-
Apache Syncope Passwords at Risk from Newly Disclosed CVE-2025-65998
A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/apache-syncope-cve-2025-65998-flaw/
-
Apache Syncope Passwords at Risk from Newly Disclosed CVE-2025-65998
A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/apache-syncope-cve-2025-65998-flaw/
-
Apache Syncope Passwords at Risk from Newly Disclosed CVE-2025-65998
A critical security flaw has been uncovered in Apache Syncope, the widely used open-source identity management system, potentially putting organizations at risk of exposing sensitive password information. First seen on thecyberexpress.com Jump to article: thecyberexpress.com/apache-syncope-cve-2025-65998-flaw/
-
NVIDIA Isaac-GROOT Flaws Let Attackers Inject Malicious Code
NVIDIA has released security updates addressing two critical code injection vulnerabilities in its Isaac-GR00T robotics software platform. The flaws could allow attackers with local system access to execute arbitrary code, escalate privileges, and tamper with sensitive data, potentially compromising robotic systems and their underlying infrastructure. The vulnerabilities, tracked as CVE-2025-33183 and CVE-2025-33184, affect all versions…
-
Azure Bastion mit schwerer Schwachstelle CVE-2025-49752
Der Microsoft Azure Bastion-Dienst zum sicheren und nahtlosen RDP- und SSH-Zugriff auf virtuelle Azure-Maschinen (VMs) weist für alle Bereitstellungen vor dem 20. November 2025 eine schwere Schwachstelle CVE-2025-49752 (CVSS Score 10.0) auf. Am 21. November 2025 hat Microsoft den Dienst … First seen on borncity.com Jump to article: www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwachstelle-cve-2025-49752/