Aggregator

CVE-2025-38600 | Linux Kernel up to 6.16.0 wifi mt7925_mcu_hw_scan ssids[] off-by-one (Nessus ID 260165 / WID-SEC-2025-1869)

Vuldb Updates
1 week 1 day ago
A vulnerability classified as problematic was found in Linux Kernel up to 6.16.0. Affected by this vulnerability is the function mt7925_mcu_hw_scan of the component wifi. The manipulation of the argument ssids[] results in off-by-one. This vulnerability was named CVE-2025-38600. The attack needs to be approached within the local network. There is no available exploit. Upgrading the affected component is advised.
vuldb.com

CVE-2025-38599 | Linux Kernel up to 6.15.9/6.16.0 wifi mt7996_tx out-of-bounds (Nessus ID 260174 / WID-SEC-2025-1869)

Vuldb Updates
1 week 1 day ago
A vulnerability classified as problematic has been found in Linux Kernel up to 6.15.9/6.16.0. Affected is the function mt7996_tx of the component wifi. The manipulation leads to out-of-bounds read. This vulnerability is uniquely identified as CVE-2025-38599. The attack can only be initiated within the local network. No exploit exists. It is recommended to upgrade the affected component.
vuldb.com

【梆梆安全监测】 安全隐私合规监管趋势及漏洞风险报告(1109-1122)

嘶吼
1 week 1 day ago

【梆梆安全监测】

安全隐私合规监管趋势及漏洞风险报告

(1109-1122)

●最新监管动态

监管通报动态

●监管支撑汇总

梆梆安全监管支撑数据

国家监管数据分析

●漏洞风险分析

各漏洞类型占比分析

存在漏洞的APP各类型占比分析 

01最新监管动态

1. 监管通报动态

11月13日,浙江通管局依据相关法律法规,对APP、小程序违法违规收集使用个人信息等问题开展治理。截至目前,尚有13款APP、小程序未按要求完成整改,浙江通管局现予以通报。

11月13日,广东通管局依据相关法律法规的要求,持续开展移动应用程序专项治理工作,截至目前,尚有3款APP未完成整改,广东通管局现予以通报。

11月14日,广东通管局依据相关法律法规的要求,持续开展移动应用程序专项治理工作,截至通报规定时限,经核查复检,尚有5款APP未按照要求完成整改反馈,广东通管局现予以下架。

11月24日,甘肃通管局依据相关法律法规的要求,持续开展移动互联网应用程序(APP)及小程序个人信息合规专项整治行动。抽测发现有10款APP未完成整改或整改不到位,甘肃通管局现予以公开通报。2025年第五批通报的违规APP,仍有3款未按要求完成整改,甘肃通管局现予以下架处置。

11月26日,上海通管局依据相关法律法规的要求,对APP(SDK)侵害用户权益的违规行为持续开展整治。抽查,共发现71款APP(SDK)存在侵害用户权益行为,上海通管局现予以通报。

02监管支撑汇总

1. 梆梆安全监管支撑数据

依据近两周监管支撑发现存在隐私合规类问题的APP数据,从APP行业分类及TOP3问题数据两方面来说明。

1)问题行业TOP3:

求职招聘类

网上购物类

其他

2)隐私合规问题TOP3:

TOP1:164号文-1 违规收集个人信息;

TOP2:认定方法 2-1 未逐一列出APP(包括委托的第三方或嵌入的第三方代码、插件)收集使用个人信息的目的、方式、范围等;

TOP3:认定方法 3-3 实际收集的个人信息或打开的可收集个人信息权限超出用户授权范围;

2. 国家监管数据分析

针对国家近两周监管通报数据,依据问题类型,统计涉及APP数量如下:

问题分类问题数量164-1 违规收集个人信息62191-6 未按法律规定提供删除或更正个人信息功能”或“未公布投诉、举报方式等信息5626号文 未明示个人信息处理规则47164-5 APP强制、频繁、过度索取权限17164-2 超范围收集个人信息8164-3 违规使用个人信息7164-4 强制用户使用定向推送5164-6 APP频繁自启动和关联启动2总计204

针对国家近两周监管通报数据,依据APP类型,统计出现通报的APP数量如下:

APP类型APP数量实用工具类20投资理财类20学习教育类11网上购物类10本地生活类8网络游戏类7用车服务类6餐饮外卖类3网络社区类3问诊挂号类3邮件快件寄递类3电子图书类2拍摄美化类2求职招聘类2房屋租售类1交通票务类1网络借贷类1网络直播类1新闻资讯类1总计105

03漏洞风险分析

从全国的Android APP中随机抽取了1,623款进行漏洞检测发现,存在中高危漏洞威胁的APP为1,257个,即77.45%以上的APP存在中高危漏洞风险。而这1,257款漏洞应用中,有高危漏洞的应用共944款,占比75.1%,有中危漏洞的应用共1,215款,占比96.66%(同一款应用可能存在多个等级的漏洞)。存在不同风险等级漏洞的APP占比如下:

各漏洞类型占比分析

针对不同类型的漏洞进行统计,应用中高危漏洞数量排名前三的类型分别为Java代码反编译风险、HTTPS未校验主机名漏洞以及动态注册Receiver风险。各漏洞类型占比情况如下图所示:

存在漏洞的APP各类型占比分析

从APP类型来看,实用工具类APP存在漏洞风险最多,占漏洞APP总量的21.68%,其次为教育学习类APP,占比11.14%,生活服务类APP位居第三,占比10.18%,漏洞数量排名前十的类型如下图所示:

梆梆安全

CVE-2025-46285 | Apple macOS up to 14.8.2/15.7.2 App integer overflow (EUVD-2025-203133 / WID-SEC-2025-2838)

Vuldb Updates
1 week 1 day ago
A vulnerability labeled as critical has been found in Apple macOS up to 14.8.2/15.7.2. Affected is an unknown function of the component App. Executing manipulation can lead to integer overflow. This vulnerability is handled as CVE-2025-46285. It is possible to launch the attack on the local host. There is not any exploit available. The affected component should be upgraded.
vuldb.com

CVE-2025-14503 | Amazon AWS Harmonix up to 0.4.1 privileges assignment (GHSA-qm86-gqrq-mqcw / EUVD-2025-203445)

Vuldb Updates
1 week 1 day ago
A vulnerability was found in Amazon AWS Harmonix up to 0.4.1 and classified as critical. The impacted element is an unknown function. Executing manipulation can lead to incorrect privilege assignment. This vulnerability appears as CVE-2025-14503. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.
vuldb.com

CVE-2025-43320 | Apple macOS up to 15.7.2 App Local Privilege Escalation (EUVD-2025-203166 / Nessus ID 278571)

Vuldb Updates
1 week 1 day ago
A vulnerability classified as problematic was found in Apple macOS up to 15.7.2. Impacted is an unknown function of the component App. Such manipulation leads to Local Privilege Escalation. This vulnerability is listed as CVE-2025-43320. The attack must be carried out locally. There is no available exploit. Upgrading the affected component is advised.
vuldb.com

CVE-2025-13794 | Auto Featured Image Plugin up to 4.2.1 on WordPress Thumbnail bulk_action_generate_handler authorization (EUVD-2025-203499)

Vuldb Updates
1 week 1 day ago
A vulnerability classified as problematic has been found in Auto Featured Image Plugin up to 4.2.1 on WordPress. Impacted is the function bulk_action_generate_handler of the component Thumbnail Handler. This manipulation causes missing authorization. This vulnerability is tracked as CVE-2025-13794. The attack is possible to be carried out remotely. No exploit exists.
vuldb.com

AI黑产“暗战”升级,邮件防御如何“见招拆招”?

嘶吼
1 week 1 day ago

12月17日15:00 线上直播

特邀资深信息安全专家分享

直播亮点抢先看

1.趋势洞察:解读黑产新招数,揭示勒索/盗号/钓鱼攻击新动向

2.案例复盘:拆解热门攻击案例,预警新型攻击手法

3.防御赋能:聚焦2026防护重点,解锁全场景解决方案

预约直播即享三重福利

1.专享资料包

2025年Q4黑产数据精要版

2025年季度企业安全报告合集

2.深度评估机会

1v1专家邮件防护咨询

定制企业防护方案

CACTER邮件安全

French Interior Minister says hackers breached its email servers

Security Affairs
1 week 1 day ago
The French interior minister confirmed that a cyberattack breached the Interior Ministry, compromising its email servers. The French Interior Minister Laurent Nunez announced on Friday that threat actors compromised email servers at the Ministry of the Interior. The attack was detected overnight between December 11 and 12, and according to the French interior minister, attackers […]
Pierluigi Paganini

CVE-2022-50676 | Linux Kernel up to 6.0.2 rds_tcp_reset_callbacks denial of service (Nessus ID 278323)

Vuldb Updates
1 week 1 day ago
A vulnerability identified as critical has been detected in Linux Kernel up to 6.0.2. The affected element is the function rds_tcp_reset_callbacks. This manipulation causes denial of service. This vulnerability is registered as CVE-2022-50676. The attack requires access to the local network. No exploit is available. You should upgrade the affected component.
vuldb.com

CVE-2022-50641 | Linux Kernel up to 6.0.2 for_each_available_child_of_node reference count (Nessus ID 278324)

Vuldb Updates
1 week 1 day ago
A vulnerability marked as critical has been reported in Linux Kernel up to 6.0.2. Affected is the function for_each_available_child_of_node. Performing manipulation results in improper update of reference count. This vulnerability is known as CVE-2022-50641. Access to the local network is required for this attack. No exploit is available. It is suggested to upgrade the affected component.
vuldb.com

CVE-2025-67899 | uriparser up to 0.9.9 recursion (Issue 282 / EUVD-2025-203311)

Vuldb Updates
1 week 1 day ago
A vulnerability was found in uriparser up to 0.9.9. It has been rated as problematic. The affected element is an unknown function. Performing manipulation results in uncontrolled recursion. This vulnerability is identified as CVE-2025-67899. The attack is only possible with local access. There is not any exploit available. It is suggested to install a patch to address this issue.
vuldb.com

Google to Shut Down Dark Web Monitoring Tool in February 2026

The Hackers News
1 week 1 day ago
Google has announced that it's discontinuing its dark web report tool in February 2026, less than two years after it was launched as a way for users to monitor if their personal information is found on the dark web. To that end, scans for new dark web breaches will be stopped on January 15, 2026, and the feature will cease to exist effective February 16, 2026. "While the report offered general
The Hacker News

Managed ad