24h | 7d | 30d

CVE-2025-41115

Overview

  • Grafana
  • Grafana Enterprise
21 Nov 2025
Published
22 Nov 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
0.02%
KEV

Description

SCIM provisioning was introduced in Grafana Enterprise and Grafana Cloud in April to improve how organizations manage users and teams in Grafana by introducing automated user lifecycle management. In Grafana versions 12.x where SCIM provisioning is enabled and configured, a vulnerability in user identity handling allows a malicious or compromised SCIM client to provision a user with a numeric externalId, which in turn could allow to override internal user IDs and lead to impersonation or privilege escalation. This vulnerability applies only if all of the following conditions are met: - `enableSCIM` feature flag set to true - `user_sync_enabled` config option in the `[auth.scim]` block set to true

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 12 hours ago

Bluesky

Profile picture
matricedigitale.bsky.social @matricedigitale.bsky.social
Grafana corregge CVE-2025-41115 con spoofing admin, mentre CISA segnala exploit Oracle e pubblica advisory ICS per rischio su identity e sistemi industriali. #cisa #grafana #ICS #Oracle www.matricedigitale.it/2025/11/23/g...
  • 0
  • 1
  • 0
  • 12h ago
Profile picture
Eyal Estrin ☁️ @eyalestrin.bsky.social
Grafana warns of max severity admin spoofing vulnerability (CVE-2025-41115) #patchmanagement
  • 0
  • 0
  • 0
  • 14h ago

CVE-2025-9501

Overview

  • Unknown
  • W3 Total Cache
17 Nov 2025
Published
17 Nov 2025
Updated
CVSS
Pending
EPSS
1.16%
KEV

Description

The W3 Total Cache WordPress plugin before 2.8.13 is vulnerable to command injection via the _parse_dynamic_mfunc function, allowing unauthenticated users to execute PHP commands by submitting a comment with a malicious payload to a post.

Statistics

  • 2 Posts
Last activity: 1 hour ago

Fediverse

Profile picture
RF Wave @rfwaveio

Security researchers reveal critical vulnerability in the W3 Total Cache (W3TC) WordPress plugin

Vulnerability:
CVE-2025-9501 - Unauthenticated command injection

Impact: Allows an attacker to run commands on the server, and fully takeover the website

Remediation: Upgrade to W3TC plugin version 2.8.13 ASAP

#cybersecurity #vulnerabilitymanagement #W3TC

bleepingcomputer.com/news/secu

  • 0
  • 0
  • 0
  • 18h ago

Bluesky

Profile picture
OpsMatters @opsmatters.com
The latest update for #IONIX includes "CVE-2025-9501: Identifying High-Risk #WordPress Instances Using W3 Total Cache" and "Why External Exposure Management Must Be at the Core of Your #SecurityOperations". #cybersecurity #AttackSurfaceManagement https://opsmtrs.com/3TB5mSA
  • 0
  • 0
  • 0
  • 1h ago

CVE-2025-11001

Overview

  • 7-Zip
  • 7-Zip
19 Nov 2025
Published
21 Nov 2025
Updated
CVSS v3.0
HIGH (7.0)
EPSS
0.31%
KEV

Description

7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the handling of symbolic links in ZIP files. Crafted data in a ZIP file can cause the process to traverse to unintended directories. An attacker can leverage this vulnerability to execute code in the context of a service account. Was ZDI-CAN-26753.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 1 hour ago

Fediverse

Profile picture
Patrick C Miller :donor: @patrickcmiller

7-Zip RCE flaw (CVE-2025-11001) actively exploited in attacks in the wild securityaffairs.com/184850/sec

  • 1
  • 2
  • 0
  • 1h ago

CVE-2025-65946

Overview

  • RooCodeInc
  • Roo-Code
21 Nov 2025
Published
21 Nov 2025
Updated
CVSS v3.1
HIGH (8.1)
EPSS
0.08%
KEV

Description

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. Prior to version 3.26.7, Due to an error in validation it was possible for Roo to automatically execute commands that did not match the allow list prefixes. This issue has been patched in version 3.26.7.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 20 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-65946 (HIGH, CVSS 8.1): Roo-Code (<3.26.7) suffers from a command injection flaw (CWE-77). No auth/user input needed; remote code execution is possible. Patch to 3.26.7+ ASAP! Details: radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 20h ago

CVE-2025-9820

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 17 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
For the #Fedora and #Linux community: A critical patch for GnuTLS (CVE-2025-9820) is now available on Fedora 43. Read more: 👉 tinyurl.com/3wdmzexx #Security
  • 0
  • 1
  • 0
  • 17h ago

CVE-2025-64446

Overview

  • Fortinet
  • FortiWeb
14 Nov 2025
Published
20 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
66.90%
KEV

Description

A relative path traversal vulnerability in Fortinet FortiWeb 8.0.0 through 8.0.1, FortiWeb 7.6.0 through 7.6.4, FortiWeb 7.4.0 through 7.4.9, FortiWeb 7.2.0 through 7.2.11, FortiWeb 7.0.0 through 7.0.11 may allow an attacker to execute administrative commands on the system via crafted HTTP or HTTPS requests.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Bluesky

Profile picture
marktsec @marktsec.bsky.social
When The Impersonation Function Gets Used To Impersonate Users (Fortinet FortiWeb Auth. Bypass CVE-2025-64446) labs.watchtowr.com/when-the-imp...
  • 0
  • 1
  • 0
  • 21h ago

CVE-2025-7402

Overview

  • scripteo
  • Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager
24 Nov 2025
Published
24 Nov 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

The Ads Pro Plugin - Multi-Purpose WordPress Advertising Manager plugin for WordPress is vulnerable to time-based SQL Injection via the ‘site_id’ parameter in all versions up to, and including, 4.95 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture
Offensive Sequence @offseq

⚠️ CVE-2025-7402: HIGH severity SQL Injection in Ads Pro Plugin (≤4.95) for WordPress. Unauthenticated attackers can leak DB data via 'site_id'—patch unavailable. Deploy WAF & monitor activity! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

CVE-2025-48507

Overview

  • AMD
  • Kria™ SOM
23 Nov 2025
Published
23 Nov 2025
Updated
CVSS v4.0
HIGH (8.6)
EPSS
Pending
KEV

Description

The security state of the calling processor into Arm® Trusted Firmware (TF-A) is not used and could potentially allow non-secure processors access to secure memories, access to crypto operations, and the ability to turn on and off subsystems within the SOC.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-48507 (HIGH): AMD Kria™ SOM flaw lets non-secure processors access secure memory & crypto ops via improper validation in TF-A. Patch ASAP, restrict access, and monitor for exploitation. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-13552

Overview

  • D-Link
  • DIR-822K
23 Nov 2025
Published
23 Nov 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

A security flaw has been discovered in D-Link DIR-822K and DWR-M920 1.00_20250513164613/1.1.50. The impacted element is an unknown function of the file /boafrm/formWlEncrypt. The manipulation of the argument submit-url results in buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be exploited.

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 HIGH severity (CVSS 8.7) buffer overflow in D-Link DIR-822K (CVE-2025-13552): Remote, unauthenticated exploit in /boafrm/formWlEncrypt—public PoC available. Restrict WAN access & monitor for updates! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 2h ago

CVE-2025-13553

Overview

  • D-Link
  • DWR-M920
23 Nov 2025
Published
23 Nov 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

A weakness has been identified in D-Link DWR-M920 1.1.50. This affects the function sub_41C7FC of the file /boafrm/formPinManageSetup. This manipulation of the argument submit-url causes buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be exploited.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 Buffer overflow (HIGH, CVSS 8.7) in D-Link DWR-M920 v1.1.50! Remote, unauthenticated exploit possible via /boafrm/formPinManageSetup—public exploit out. Restrict access, monitor now, patch ASAP. CVE-2025-13553 radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 4h ago
Showing 1 to 10 of 14 CVEs