Aggregator

A vulnerability was found in itsourcecode Online Cake Ordering System 1.0. It has been declared as critical. This issue affects some unknown processing of the file /admindetail.php?action=edit. The manipulation of the argument ID results in sql injection. This vulnerability is cataloged as CVE-2025-14652. The attack may be launched remotely. Furthermore, there is an exploit available.

Further analysis revealed that this issues is a false-positive. Please take a look at the sources mentioned and consider not using this entry at all.

A vulnerability was found in Linux Kernel up to 6.12.27/6.14.5/6.15-rc4 and classified as critical. The impacted element is the function smb2_sess_setup of the component ksmbd. Executing manipulation can lead to use after free. This vulnerability is tracked as CVE-2025-37899. The attack is only possible within the local network. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability, which was classified as critical, was found in Linux Kernel up to 6.12.27/6.14.5/6.15-rc4. Affected is the function iommu_copy_struct_from_user of the component iommu. Executing manipulation can lead to null pointer dereference. This vulnerability is tracked as CVE-2025-37900. The attack is only possible within the local network. No exploit exists. You should upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.1.137/6.6.89/6.12.27/6.14.5/6.15-rc4 and classified as critical. Affected by this issue is some unknown functionality of the component qcom-mpm. The manipulation results in denial of service. This vulnerability is cataloged as CVE-2025-37901. The attack must originate from the local network. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability marked as problematic has been reported in Linux Kernel up to 6.14.5/6.15-rc4. This vulnerability affects the function module_memory_alloc. The manipulation leads to allocation of resources. This vulnerability is traded as CVE-2025-37898. Access to the local network is required for this attack to succeed. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.14.5/6.15-rc4. It has been declared as problematic. This vulnerability affects the function spi_mem_calc_op_duration of the component SPI. Such manipulation leads to divide by zero. This vulnerability is documented as CVE-2025-37896. The attack requires being on the local network. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability classified as problematic has been found in Linux Kernel up to 6.1.137/6.6.89/6.12.27/6.14.5/6.15-rc4. Affected is the function plfxlc_mac_release of the file drivers/net/wireless/purelifi/plfxlc/mac.c of the component wifi. Performing manipulation results in reachable assertion. This vulnerability was named CVE-2025-37897. The attack needs to be approached within the local network. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 6.12.27/6.14.5/6.15-rc4. This issue affects the function sock_gen_put of the file mrdump.ko. This manipulation causes improper update of reference count. The identification of this vulnerability is CVE-2025-37894. The attack needs to be done within the local network. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Linux Kernel up to 6.12.27/6.14.5/6.15-rc4. Impacted is the function bnxt_init_chip of the file kernel/workqueue.c. Such manipulation leads to improper initialization. This vulnerability is referenced as CVE-2025-37895. The attack needs to be initiated within the local network. No exploit is available. You should upgrade the affected component.

A vulnerability labeled as problematic has been found in Linux Kernel up to 6.6.87/6.12.24/6.14.3/6.15-rc2. The impacted element is the function dsa_switch_supports_uc_filtering of the component DSA Interface. Such manipulation leads to reachable assertion. This vulnerability is referenced as CVE-2025-37864. The attack needs to be initiated within the local network. No exploit is available. The affected component should be upgraded.

Name: SECCON CTF 14 Quals (an SECCON CTF event.)
Date: Dec. 13, 2025, 5 a.m. — 14 Dec. 2025, 05:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://ctf.seccon.jp/
Rating weight: 100.00
Event organizers: SECCON CTF

Name: Cybercoliseum IV (an Codeby Games event.)
Date: Dec. 13, 2025, 7 a.m. — 14 Dec. 2025, 07:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://cybercoliseum.hackerlab.pro/en
Rating weight: 0
Event organizers: Codeby Games

与 g0dxing 师傅一起开发的开源暴力破解靶场

漏洞描述Apache Tika 的 tika-core (1.13-3.2.1)、tika-pdf-module (2.0.0-3.2.1) 和 tika-parsers (1.13-1.28.5) 模块在所有平台上存在严重 XXE 漏洞，攻击者可利用此漏洞通过在 PDF 文件中嵌入精心构造的 XFA 文件来实施 XML 外部实体注入。此 CVE 漏洞与 CVE-2025-54988 漏洞相同。然

Apache Causeway 是 Apache 基金会开源的 Java 企业级领域建模框架，基于 Spring Boot 架构，能够为实体类、领域服务和 ViewModel 自动生成 Web 界面与 API 接口，广泛应用于企业级管理系统的构建。 在受影响的版本中，框架在处理 ViewModel 的书签（bookmark）与 URL 片段时存在严重的安全缺陷：**系统将客户端可控的内容直接作为

环境搭建源码：https://gitee.com/y_project/RuoYi/tree/v4.8.1环境：mysql+IDEA新建数据库ry，导入ry_20250416.sql与quartz.sql文件，修改配置文件application-druid.yml账号密码本地环境搭建POCshiro利用漏洞点位置：com/ruoyi/web/controller/monitor/CacheContr

使用了大量携带正常数字签名（含国内数字签名）的文件进行木马传播、使用了多种反沙箱/反调试技术进行安全技术对坑、外联亚马逊的AWS S3存储桶下载并执行最新恶意载荷

多个多内合法数字签名、trycloudflare隧道通信

分析ipTIME AX2004M路由器固件漏洞，揭示基于逻辑错误的未授权访问与RCE利用链。