Aggregator

A vulnerability was found in Tenda AC9 15.03.05.14_multi. It has been rated as problematic. Affected by this vulnerability is an unknown functionality of the file /cgi-bin/DownloadCfg.jpg of the component Configuration File Handler. This manipulation causes information disclosure. This vulnerability appears as CVE-2025-14286. The attack may be initiated remotely. In addition, an exploit is available. It is advisable to implement restrictive firewalling.

A vulnerability has been found in static-web-server Static Web Server up to 2.40.0 and classified as critical. This vulnerability affects unknown code. Performing manipulation results in symlink following. This vulnerability was named CVE-2025-67487. The attack may be initiated remotely. In addition, an exploit is available. The affected component should be upgraded.

A vulnerability was found in Verysync 微力同步 up to 2.21.3 and classified as critical. This impacts an unknown function of the file /rest/f/api/resources/f96956469e7be39d/tmp/text.txt?override=false of the component Web Administration Module. Executing manipulation can lead to unrestricted upload. This vulnerability appears as CVE-2025-14199. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in alokjaiswal Hotel-Management-services-using-MYSQL-and-php up to 5f8b60a7aa6c06a5632de569d4e3f6a8cd82f76f. It has been classified as problematic. Affected is an unknown function of the file /usersub.php of the component Request Pending Page. The manipulation leads to cross site scripting. This vulnerability is traded as CVE-2025-14200. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in code-projects Employee Profile Management System 1.0. It has been declared as critical. Affected is an unknown function of the file edit_personnel.php. The manipulation of the argument per_id results in sql injection. This vulnerability is reported as CVE-2025-14285. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability classified as critical was found in Traefik up to 2.11.31/3.6.2. This affects an unknown function. Executing manipulation can lead to interpretation conflict. This vulnerability is handled as CVE-2025-66490. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability was found in Siemens RUGGEDCOM ROX II Family up to 2.16.x. It has been rated as critical. This issue affects some unknown processing of the component Configuration Handler. Performing manipulation results in command injection. This vulnerability is reported as CVE-2024-56836. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability was found in WBCE CMS up to 1.6.4 and classified as problematic. This issue affects some unknown processing of the component Header Handler. Such manipulation of the argument X-Forwarded-For leads to improper restriction of excessive authentication attempts. This vulnerability is listed as CVE-2025-66204. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability, which was classified as problematic, was found in Ivanti Endpoint Manager up to 2024 SU4. Affected by this vulnerability is an unknown functionality. Executing manipulation can lead to cross site scripting. This vulnerability is tracked as CVE-2025-10573. The attack can be launched remotely. No exploit exists. You should upgrade the affected component.

A vulnerability was found in Ivanti Endpoint Manager up to 2024 SU4. It has been rated as critical. Impacted is an unknown function. Performing manipulation results in path traversal. This vulnerability is reported as CVE-2025-13661. The attack is possible to be carried out remotely. No exploit exists. Upgrading the affected component is advised.

A vulnerability classified as problematic has been found in Beaver Builder Plugin up to 2.9.4 on WordPress. Impacted is the function get_attachment_sizes. This manipulation causes information disclosure. This vulnerability is handled as CVE-2025-12558. The attack can be initiated remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in Altcha 0.8.0. This affects an unknown part of the component Proof-of-Work Obfuscation Mode. Performing manipulation results in cryptographic issues. This vulnerability is known as CVE-2025-65849. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability marked as problematic has been reported in NUT-14 up to 0.17.x. Affected by this vulnerability is an unknown functionality. This manipulation causes improper validation of specified quantity in input. This vulnerability is tracked as CVE-2025-65548. The attack is only possible within the local network. No exploit exists. It is suggested to upgrade the affected component.

An urgent warning about a critical security flaw in OSGeo GeoServer, a widely used open-source geographic data-sharing server. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog, indicating that threat actors are actively leveraging this zero-day flaw in attacks targeting both public and private sectors. The newly disclosed vulnerability, tracked as CVE-2025-58360, […]

The post CISA Warns of OSGeo GeoServer 0-Day Vulnerability Exploited in Attacks appeared first on Cyber Security News.

Currently trending CVE - Hype Score: 1 - Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with ...

嗯，用户让我帮忙总结一下这篇文章的内容，控制在一百个字以内，而且不需要用“文章内容总结”或者“这篇文章”这样的开头。直接写描述即可。 首先，我需要通读整篇文章，抓住主要信息。文章讲的是一个反盗版联盟ACE，他们最近关闭了印度的一个非常流行的盗版流媒体服务MKVCinemas，以及相关的25个域名。这个服务在过去两年里吸引了超过1.424亿的访问量。ACE是由迪士尼、华纳兄弟、Netflix等多家大型电视网络和电影工作室支持的，他们通过刑事指控、民事诉讼和禁止令来打击非法流媒体服务。 此外，ACE还关闭了一个广泛使用的文件克隆工具，这个工具允许用户从隐藏的云存储库中复制文件到个人云存储中，从而传播受版权保护的内容。这个工具在过去两年里吸引了2.314亿次访问，并帮助规避了删除努力，因为它隐藏了上传到云驱动器的媒体文件的来源。 ACE还提到他们将不懈地追求和摧毁非法运营，以使观众和创作者受益于一个安全、可持续的市场环境。最近几个月，ACE还与其他组织合作关闭了其他几个盗版流媒体服务，包括Photocall和Streameast等。 接下来，我需要将这些信息浓缩到100字以内。重点包括：ACE关闭了MKVCinemas及其相关域名；该服务在过去两年吸引了大量访问；ACE由多家大型公司支持；他们还关闭了一个文件克隆工具；以及强调了他们打击非法流媒体的决心。 可能的结构是：反盗版联盟ACE关停印度流行盗版流媒体服务MKVCinemas及其25个相关域名，该平台过去两年吸引超1.42亿访问者。同时关闭一文件克隆工具，并强调将持续打击非法运营。 检查一下字数是否在100字以内，并确保没有使用任何开头语。 反盗版联盟ACE关停印度流行盗版流媒体服务MKVCinemas及其25个相关域名，该平台过去两年吸引超1.42亿访问者。同时关闭一文件克隆工具，并强调将持续打击非法运营。

Найдены самые убедительные доказательства общей теории относительности.

An anti-piracy coalition has dismantled one of India's most popular streaming piracy services, which has provided free access to movies and TV shows to millions over the past two years. [...]

DJI Action 6 脱离传统运动相机定位，主打全能拍摄体验。其1:1正方形传感器、可变光圈设计和超广角镜头赋予更强创作自由度。与iPhone 16 Pro Max对比显示，在防抖、画质等方面优势明显。但快门迟滞、解锁困难等问题仍待优化。

Understand what PII is, why email puts it at risk, and how your business can strengthen security to better protect sensitive information.

The post PII in email: Explanation, risks, & protection appeared first on Security Boulevard.