Aggregator

A vulnerability categorized as problematic has been discovered in Frappe LMS up to 2.40.x. The affected element is an unknown function of the component Endpoint. Such manipulation leads to incorrect authorization. This vulnerability is listed as CVE-2025-66581. The attack may be performed from remote. There is no available exploit. It is advisable to upgrade the affected component.

A vulnerability was found in Nextcloud Tables up to 0.8.8/0.9.5/1.0.0. It has been rated as problematic. Impacted is an unknown function. This manipulation causes authorization bypass. This vulnerability is tracked as CVE-2025-66513. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability was found in yawkat lz4-java up to 1.10.0. It has been declared as problematic. This issue affects some unknown processing. The manipulation results in insertion of sensitive information into sent data. This vulnerability is identified as CVE-2025-66566. The attack can be executed remotely. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in Flexsense DiskBoss, DiskBoss Pro, DiskBoss Ultimate, DiskBoss Server and DiskBoss Enterprise 11.7.28. It has been classified as problematic. This vulnerability affects unknown code. The manipulation leads to unquoted search path. This vulnerability is referenced as CVE-2020-36879. The attack can only be performed from a local environment. Furthermore, an exploit is available.

A vulnerability was found in Langflow up to 1.6.9 and classified as critical. This affects an unknown part of the component Refresh Endpoint. Executing manipulation can lead to origin validation error. The identification of this vulnerability is CVE-2025-34291. The attack may be launched remotely. There is no exploit available.

A vulnerability has been found in Advantech WISE-DeviceOn Server up to 5.3 and classified as critical. Affected by this issue is some unknown functionality of the component Installation Handler. Performing manipulation results in use of hard-coded cryptographic key . This vulnerability was named CVE-2025-34256. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.

A vulnerability, which was classified as very critical, was found in Google Cloud Apigee Hybrid up to 1.11.1/1.12.3/1.13.2/1.14.0. Affected by this vulnerability is an unknown functionality of the component Javacallout Policy. Such manipulation leads to dynamically-managed code resources. This vulnerability is uniquely identified as CVE-2025-13426. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

A vulnerability, which was classified as critical, has been found in ReQuest Serious Play F3 Media Server 7.0.3.4968. Affected is an unknown function of the component Quick File Uploader Page. This manipulation causes os command injection. This vulnerability is handled as CVE-2020-36877. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability classified as problematic was found in strimzi strimzi-kafka-operator up to 0.49.0 on Kubernetes. This impacts an unknown function. The manipulation results in information disclosure. This vulnerability is known as CVE-2025-66623. Access to the local network is required for this attack. No exploit is available. Upgrading the affected component is advised.

A vulnerability classified as problematic has been found in ReQuest Serious Play F3 Media Server. This affects an unknown function of the component message_log Page. The manipulation leads to sensitive information in log files. This vulnerability is traded as CVE-2020-36876. It is possible to launch the attack on the physical device. Furthermore, there is an exploit available.

免责声明由于传播、利用本公众号所提供的信息而造成的任何直接或者间接的后果及损失，均由使用者本人负责，公众号陌

Security researchers from the SAFA team have uncovered four kernel heap overflow vulnerabilities in Avast Antivirus, all traced to the aswSnx kernel driver. The flaws, now tracked collectively as CVE-2025-13032, could allow a local attacker to escalate privileges to SYSTEM on Windows 11 if successfully exploited. The research focused on Avast’s sandbox implementation, a component […]

The post Avast Antivirus Sandbox Vulnerabilities Let Attackers Escalate Privileges appeared first on Cyber Security News.

Currently trending CVE - Hype Score: 8 - In build_read_multi_rsp of gatt_sr.cc, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) code execution with no additional execution privileges needed. User interaction is not needed for exploitation.

Currently trending CVE - Hype Score: 9

Currently trending CVE - Hype Score: 2 - Out of bounds read in WebXR in Google Chrome prior to 142.0.7444.59 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: Medium)

Currently trending CVE - Hype Score: 9 - Untrusted LD_LIBRARY_PATH environment variable vulnerability in the GNU C Library version 2.27 to 2.38 allows attacker controlled loading of dynamically shared library in statically compiled setuid binaries that call dlopen (including internal dlopen calls after setlocale or ...

Как детская игровая платформа превратилась в объект для претензий о пропаганде, экстремизме и угрозах для несовершеннолетних.

Критическая уязвимость уже в арсенале известных групп, вопрос в том, сколько проектов заметит это слишком поздно.

React Server Components 的 Flight 协议存在严重远程代码执行漏洞（CVE-2025-55182/CVE-2025-66478），影响 React 19 及 Next.js 等框架。攻击者可通过特制 HTTP 请求在服务器端执行代码，成功率近 100%。问题源于默认配置下的不安全反序列化逻辑，默认无需修改代码即可被利用。约 39% 的云环境受影响。React 和 Next 已发布修复版本，建议立即升级以防范漏洞利用。

《*国安全战略报告 2026》由日本防卫省的智库“防卫研究所”（National Institute for Defense Studies, NIDS）于2025年11月20日正式发布 。