Aggregator

A vulnerability, which was classified as critical, has been found in Taxi Booking Manager for Woocommerce Plugin up to 1.3.0 on WordPress. This issue affects some unknown processing. This manipulation causes missing authorization. This vulnerability is registered as CVE-2025-8898. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in User Profile Builder Plugin up to 3.14.3 on WordPress. It has been classified as problematic. This affects the function gdpr_communication_preferences of the component GDPR Communication Preferences Module. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-8896. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability was found in Advanced iFrame Plugin up to 2025.6 on WordPress. It has been declared as problematic. This impacts an unknown function. The manipulation of the argument additional results in cross site scripting. This vulnerability is known as CVE-2025-8089. It is possible to launch the attack remotely. No exploit is available.

A vulnerability, which was classified as critical, was found in Drag and Drop Multiple File Upload for Contact Form 7 Plugin up to 1.3.9.0 on WordPress. Impacted is an unknown function of the component Cookie Handler. Such manipulation of the argument wpcf7_guest_user_id leads to path traversal. This vulnerability is documented as CVE-2025-8464. The attack can be executed remotely. There is not any exploit available.

A vulnerability has been found in BetterDocs Plugin up to 4.1.1 on WordPress and classified as problematic. The affected element is the function get_response. Performing manipulation results in missing authorization. This vulnerability is reported as CVE-2025-7499. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability was found in Translate This gTranslate Shortcode Plugin up to 1.0 on WordPress and classified as problematic. The impacted element is an unknown function of the component Shortcode Handler. Executing manipulation of the argument base_lang can lead to cross site scripting. This vulnerability appears as CVE-2025-8719. The attack may be performed from a remote location. There is no available exploit.

A vulnerability was found in Portabilis i-Educar 2.9.0/2.10.0. It has been classified as problematic. This vulnerability affects unknown code of the file /intranet/agenda.php of the component Agenda Module. The manipulation of the argument novo_titulo/novo_descricao leads to cross site scripting. This vulnerability is traded as CVE-2025-7867. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

漏洞简介Sudo 1.9.14+ 版本存在漏洞：它在切换环境（chroot）后过早解析路径，导致攻击者能通过伪造/etc/nsswitch.conf等文件，诱骗Sudo加载恶意库（如libnss_xxx.so）。无需特殊权限即可获得root权限，危害极大。（核心：路径解析顺序错误 + 恶意库劫持 = 直接提权）漏洞描述该漏洞的严重性被评为“重要”，因为攻击者必须能够访问系统上的有效帐户，并且即使帐

JetBrains 发布了第八次年度 Python 开发者调查报告。调查由 JetBrains 和 Python 软件基金会合作完成。结果显示，86% 的受访者表示 Python 是他们的主要语言，用于写程序、构建应用和创建 API 等；50% 受访者只有不到两年的专业编程经验，39% 的受访者只有不到两年的 Python 经验；83% 的 Python 开发者使用旧版本（v 3.12 或以下版本），主要理由是当前使用版本已能满足所有需求，报告指出从 Python 3.11 升级到 Python 3.13 能将代码速度提高 11% 内存占用减少 10-15%；51% 的受访者将 Python 用于数据探索和处理，最常用的工具是 Pandas 和 NumPy。

京东卡上线通知KB拓展新姿势TIME 2025.08.20 10:00各位白帽子请注意！

CISA has issued a critical warning regarding a high-severity OS command injection vulnerability in Trend Micro Apex One Management Console that threat actors are actively exploiting in the wild.  The vulnerability, tracked as CVE-2025-54948 and classified under CWE-78, poses significant risks to organizations running on-premise installations of the enterprise security platform. Key Takeaways1. CISA confirms […]

The post CISA Warns of Trend Micro Apex One OS Command Injection Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Git 2.51 is out, and the release continues the long process of modernizing the version control system. The update includes several technical changes, but one of the most important areas of work is Git’s move toward stronger cryptographic security through SHA-256 support. Git has relied on SHA-1 since its creation in 2005. SHA-1 has been showing its age for years, with researchers demonstrating collision attacks that make it unsuitable for long-term use. The community has … More →

The post Git 2.51: Preparing for the future with SHA-256 appeared first on Help Net Security.

The maintainers of the Python Package Index (PyPI) repository have announced that the package manager now checks for expired domains to prevent supply chain attacks. "These changes improve PyPI's overall account security posture, making it harder for attackers to exploit expired domain names to gain unauthorized access to accounts," Mike Fiedler, PyPI safety and security engineer at the Python

本文并非简单复现 CVE-2025-24813，区别于市面上多数仅停留在 POC 运行的文章。基于 Tomcat 源码，通过深入分析调用链与反序列化机制，全面还原漏洞的触发原理与底层实现。适合希望真正理解漏洞本质和内在机制的安全研究者阅读。

Mozilla делает ставку на приватность и новые инструменты.

As the Internet of Things (IoT) continues to transform industries and daily lives, security has become one of the most critical challenges organizations face. From smart homes and connected cars to industrial systems and healthcare devices, IoT ecosystems are vast and deeply integrated into business operations and personal environments. However, with this rapid adoption comes

The post IoT Security appeared first on Seceon Inc.

The post IoT Security appeared first on Security Boulevard.

Security misconfiguration is a significant concern, in the OWASP Top 10. During our web application penetration tests, we often discover numerous vulnerabilities of this nature. According to OWASP, this issue impacts nearly 90% of all web applications. In this blog, we will explore this vulnerability through the lens of the OWASP Top 10, illustrating it […]

The post OWASP Security Misconfiguration: Quick guide appeared first on Kratikal Blogs.

The post OWASP Security Misconfiguration: Quick guide appeared first on Security Boulevard.

起初，该公司仅宣布出现“技术问题”，并未确认是网络安全事件。不过，在后续的状态更新中，说明了事件的性质。