Aggregator

A vulnerability was found in BoyunCMS up to 1.4.20. It has been classified as critical. This affects an unknown part of the file /install/install_ok.php of the component Configuration File Handler. The manipulation of the argument db_pass leads to code injection. This vulnerability is uniquely identified as CVE-2025-7101. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

Submit #604321 / VDB-311214

A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. This vulnerability is handled as CVE-2025-7100. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. This vulnerability is known as CVE-2025-7099. The attack can be launched remotely. Furthermore, there is an exploit available.

Submit #604403 / VDB-315017

Submit #604401 / VDB-315016

Submit #604323 / VDB-315015

A vulnerability was found in BoyunCMS up to 1.4.20 and classified as critical. Affected by this issue is some unknown functionality of the file /application/user/controller/Index.php. The manipulation of the argument image leads to unrestricted upload. This vulnerability is handled as CVE-2025-7100. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in BoyunCMS up to 1.21 on PHP7 and classified as critical. Affected by this vulnerability is an unknown functionality of the file install/install2.php of the component Installation Handler. The manipulation of the argument db_host leads to deserialization. This vulnerability is known as CVE-2025-7099. The attack can be launched remotely. Furthermore, there is an exploit available.

Как обычный помидор заставил ученого переместиться на 30 лет назад..

Submit #604455 / VDB-315014

Submit #604310 / VDB-315013

A vulnerability was found in jspreadsheet up to 4.5.x and classified as problematic. Affected by this issue is some unknown functionality of the component Dropdown Menu. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2022-48115. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in braintree sanitize-url up to 6.0.1. It has been classified as problematic. Affected is an unknown function. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2022-48345. It is possible to launch the attack remotely. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in frp_form_answers Extension up to 3.1.1/4.0.1 on TYPO3 and classified as problematic. Affected by this issue is some unknown functionality of the component Saved Email Handler. The manipulation leads to cross site scripting. This vulnerability is handled as CVE-2023-26091. The attack may be launched remotely. There is no exploit available. It is recommended to upgrade the affected component.

D-Link RCE漏洞中涉及到的魔术引号和空格的检测绕过

Flask内存马各种姿势详解本篇以jinja2 ssti视角研究Flask高版本内存马拿request对象app.view_functions相关因为高版本给add_url_rule加了装饰器@setupmethod，这个装饰器会先调用app._check_setup_finished, 所以得将app._got_first_request改为False路由装饰器add_url_ruleadd_u

从源码层面调试分析house of cat 的攻击流程

本文主要探讨已经能够通过漏洞实现addrOf()、fakeObject()这样的原语后，如何最终实现程序流完整控制的通用手法。从提出新型Fakearray构造方式以绕过JSArray.elements结构校验，又介绍了WASM函数完整调用流程以及LazyCompile,从而提出一种基于覆盖Instance对象的jump_start_table的控制程序流方法

North Korea-linked hackers use fake Zoom updates to spread macOS NimDoor malware, targeting crypto firms with stealthy backdoors. North Korea-linked threat actors are targeting Web3 and crypto firms with NimDoor, a rare macOS backdoor disguised as a fake Zoom update. Victims are tricked into installing the malware through phishing links sent via Calendly or Telegram. […]