Aggregator

原域名已变更且将在2024年彻底废弃，请访问 https://govuln.com/news/ 查看新的RSS订阅

Currently trending CVE - Hype Score: 42 - An out-of-bounds write issue was addressed with improved bounds checking. This issue is fixed in macOS Sonoma 14.7.8, macOS Ventura 13.7.8, iPadOS 17.7.10, macOS Sequoia 15.6.1, iOS 18.6.2 and iPadOS 18.6.2. Processing a malicious image file may result in memory corruption. ...

Currently trending CVE - Hype Score: 28 - The Java OpenWire protocol marshaller is vulnerable to Remote Code Execution. This vulnerability may allow a remote attacker with network access to either a Java-based OpenWire broker or client to run arbitrary shell commands by manipulating serialized class types in the ...

Currently trending CVE - Hype Score: 30 - Out of bounds write in V8 in Google Chrome prior to 139.0.7258.138 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High)

Currently trending CVE - Hype Score: 36 - User-controlled input flows to an unsafe implementation of a dynamic Function constructor, allowing network attackers to run arbitrary unsandboxed JS code in the context of the host, by sending a simple POST request.

Currently trending CVE - Hype Score: 31 - A vulnerability in the remote access VPN feature of Cisco Adaptive Security Appliance (ASA) Software and Cisco Firepower Threat Defense (FTD) Software could allow an unauthenticated, remote attacker to conduct a brute force attack in an attempt to identify valid username and ...

Currently trending CVE - Hype Score: 31 - VMware ESXi contains an authentication bypass vulnerability. A malicious actor with sufficient Active Directory (AD) permissions can gain full access to an ESXi host that was previously configured to use AD for user management ...

Currently trending CVE - Hype Score: 31 - A command injection vulnerability in the IPSec VPN feature of Zyxel ATP series firmware versions from V4.32 through V5.38, USG FLEX series firmware versions from V4.50 through V5.38, USG FLEX 50(W) series firmware versions from V4.16 through V5.38, and USG20(W)-VPN series ...

Currently trending CVE - Hype Score: 5 - Deserialization of untrusted data in on-premises Microsoft SharePoint Server allows an unauthorized attacker to execute code over a network. Microsoft is aware that an exploit for CVE-2025-53770 exists in the wild. Microsoft is preparing and fully testing a comprehensive update ...

Currently trending CVE - Hype Score: 8 - An improper neutralization of special elements used in an SQL command ('SQL Injection') vulnerability [CWE-89] in Fortinet FortiWeb version 7.6.0 through 7.6.3, 7.4.0 through 7.4.7, 7.2.0 through 7.2.10 and below 7.0.10 allows an unauthenticated attacker to execute unauthorized ...

Currently trending CVE - Hype Score: 1 - Use after free in Windows Common Log File System Driver allows an authorized attacker to elevate privileges locally.

Workers Reject Traditional Advancement for Flexible, Purpose-Driven Career Paths
In 2025, professionals are abandoning the traditional career ladder for lateral moves and purpose-driven roles. Employers must adapt their advancement models or risk losing top talent, especially in critical fields like cybersecurity where flexibility matters most.

Hacking Was the Easy Part, Notifying McDonald's the Extremely Difficult Bit
A security researcher gained access to McDonald's global marketing portal by changing a single word in its URL, uncovering a slew of additional vulnerabilities. The hard part was notifying the burger giant about the flaws, says self-described ethical hacker "BobDaHacker."

Inotiv Inc. Tells SEC Some Business Operations Disrupted, No Recovery Date in Sight
Inotiv, a drug research and development firm, told federal regulators that it's been dealing with a cyberattack since Aug. 8 that has encrypted some IT systems and data, and is disrupting certain business operations. Ransomware gang Qilin has listed the company as a victim on its dark website.

Claude Models May Shut Down Harmful Chats in Some Edge Cases
Anthropic introduced a safeguard to its Claude artificial intelligence platform that allows certain models to end conversations in cases of persistently harmful or abusive interactions. The company said it's doing so not to protect human users, but as a way to mitigate risks to the models.

Successful Breaches Renew Fears of Operational Vulnerabilities Across Water Sector
Russia is suspected of escalating cyberattacks on European water utilities, including attempts to sabotage Polish and Norwegian water facilities and dams, signaling a broader threat to global critical infrastructure as state-backed actors exploit critical OT weaknesses amid global conflict.

A vulnerability, which was classified as critical, has been found in Linksys RE6250, RE6300, RE6350, RE6500, RE7000 and RE9000 1.0.013.001/1.0.04.001/1.0.04.002/1.1.05.003/1.2.07.001. Affected by this issue is the function RP_doSpecifySiteSurvey of the file /goform/RP_doSpecifySiteSurvey. The manipulation of the argument ssidhex leads to stack-based buffer overflow. This vulnerability is listed as CVE-2025-9253. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in wong2 mcp-cli 1.13.0. It has been rated as critical. Affected is the function redirectToAuthorization of the file /src/oauth/provider.js of the component oAuth Handler. This manipulation causes os command injection. This vulnerability appears as CVE-2025-9262. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.