CVE-2025-13016

Overview

Mozilla
Firefox

11 Nov 2025

Published

25 Nov 2025

Updated

CVSS

Pending

EPSS

0.05%

MITRE

KEV

Description

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.

Statistics

1 Post
4 Interactions

Last activity: 18 hours ago

Fediverse

:awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉 @nemo

A high-severity Firefox WebAssembly bug (CVE-2025-13016) silently exposed over 180M users to potential code execution for 6 months, now patched in Firefox 145/ESR 140.5. 🔐 Users are urged to update ASAP. 🔄✨ Details: https://cyberinsider.com/dangerous-firefox-webassembly-bug-went-undetected-for-6-months/ #Firefox #CyberSecurity #InfoSec #Newz

#Tor & #Mullvad are immune to this, given the security slider has been moved to "Safer" 💡. with Librewolf idk 🤷

3
1
0
18h ago

CVE-2025-49752

Overview

Microsoft
Azure Bastion Developer

20 Nov 2025

Published

26 Nov 2025

Updated

CVSS v3.1

CRITICAL (10.0)

EPSS

0.09%

MITRE

KEV

Description

Azure Bastion Elevation of Privilege Vulnerability

Statistics

1 Post
3 Interactions

Last activity: 19 hours ago

Fediverse

Günter Born @gborn

Da kann dir schwindelig werden. Microsofts Azure Bastion (ein verkappter Apache Guacamole) hatte eine Schwachstelle mit einem CVE -Score von 10.0.

https://www.borncity.com/blog/2025/11/25/azure-bastion-mit-schwerer-schwachstelle-cve-2025-49752/

2
1
0
19h ago

CVE-2021-32682

Overview

Studio-42
elFinder

14 Jun 2021

Published

03 Aug 2024

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

93.47%

MITRE

KEV

Description

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Statistics

1 Post
4 Interactions

Last activity: 14 hours ago

Fediverse

hrbrmstr 🇺🇦 🇬🇱 🇨🇦 @hrbrmstr

This is, um, *alot* of coordinated, calculated, automation to see where "elFinder" is.

New CVE/0-Day coming?

Starting the 6-week countdown.

https://viz.greynoise.io/tags/elfinder-2-1-58-rce-cve-2021-32682-check?days=90

1
3
0
14h ago

CVE-2025-12686

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post
3 Interactions

Last activity: 16 hours ago

Bluesky

Synacktiv @synacktiv.com

At #Pwn2Own2025, our experts Tek & @anyfun.bsky.social remotely compromised a Synology Beestation Plus via a pre-auth exploit, leading to full system takeover. The vuln is now tracked as CVE-2025-12686 🔍 🔗 Full write-up: www.synacktiv.com/en/publicati...

1
2
0
16h ago

CVE-2025-12666

Overview

oscaruh
Google Drive upload and download link

27 Nov 2025

Published

27 Nov 2025

Updated

CVSS v3.1

MEDIUM (6.4)

EPSS

0.03%

MITRE

KEV

Description

The Google Drive upload and download link plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'link' parameter of the 'atachfilegoogle' shortcode in all versions up to, and including, 1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Statistics

1 Post
3 Interactions

Last activity: 20 hours ago

Bluesky

BaseFortify.eu @basefortify.bsky.social

🚨 CVE-2025-12666 — Google Drive WordPress Plugin Stored XSS lets attackers inject scripts via shortcodes. Every visitor can be affected once saved. 🔗 basefortify.eu/cve_reports/... #CVE #WordPress #XSS #CyberSecurity

1
2
0
20h ago

CVE-2025-64314

Overview

Huawei
HarmonyOS

28 Nov 2025

Published

28 Nov 2025

Updated

CVSS v3.1

CRITICAL (9.3)

EPSS

Pending

MITRE

KEV

Description

Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality.

Statistics

1 Post
2 Interactions

Last activity: 3 hours ago

Fediverse

Offensive Sequence @offseq

⚠️ CRITICAL: CVE-2025-64314 in Huawei HarmonyOS 5.1.0 enables type confusion attacks via faulty permission controls. Potential for sensitive data exposure—no patch yet. Restrict device access & monitor for updates. https://radar.offseq.com/threat/cve-2025-64314-cwe-843-access-of-resource-using-in-e6e520d9 #OffSeq #Huawei #CVE #Infosec #Vulnerability

1
1
0
3h ago

CVE-2025-13538

Overview

Elated Themes
FindAll Listing

27 Nov 2025

Published

27 Nov 2025

Updated

CVSS v3.1

CRITICAL (9.8)

EPSS

0.07%

MITRE

KEV

Description

The FindAll Listing plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.0.5. This is due to the 'findall_listing_user_registration_additional_params' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site. Note: The vulnerability can only be exploited if the FindAll Membership plugin is also activated, because user registration is in that plugin.

Statistics

1 Post

Last activity: 20 hours ago

Fediverse

Offensive Sequence @offseq

🚨 CVE-2025-13538 (CRITICAL, CVSS 9.8): Elated Themes FindAll Listing plugin for WordPress lets unauthenticated attackers escalate to admin via registration if FindAll Membership is active. Disable user registration & monitor accounts! https://radar.offseq.com/threat/cve-2025-13538-cwe-269-improper-privilege-manageme-2da30aa5 #OffSeq #WordPress #Infosec

0
0
0
20h ago

CVE-2025-8890

Overview

SDMC
NE6037

27 Nov 2025

Published

27 Nov 2025

Updated

CVSS v4.0

CRITICAL (9.3)

EPSS

Pending

MITRE

KEV

Description

Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports.

Statistics

1 Post

Last activity: 6 hours ago

Fediverse

Offensive Sequence @offseq

🛑 CRITICAL: CVE-2025-8890 affects SDMC NE6037 routers <7.1.12.2.44. OS command injection via LAN admin portal can lead to full takeover. Patch when available, restrict admin access, and monitor activity! https://radar.offseq.com/threat/cve-2025-8890-cwe-78-improper-neutralization-of-sp-8ed5a589 #OffSeq #Vulnerability #RouterSecurity

0
0
0
6h ago

CVE-2025-59366

Overview

ASUS
Router

25 Nov 2025

Published

26 Nov 2025

Updated

CVSS v4.0

CRITICAL (9.2)

EPSS

0.10%

MITRE

KEV

Description

An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information.

Statistics

1 Post

Last activity: 18 hours ago

Fediverse

ekiledjian @edwardk

ASUS warns of new critical auth-bypass flaw in AiCloud routers
https://www.bleepingcomputer.com/news/security/asus-warns-of-new-critical-auth-bypass-flaw-in-aicloud-routers/

ASUS has issued new firmware updates to address nine security vulnerabilities, including a critical authentication bypass flaw affecting routers with the AiCloud feature enabled.

AiCloud is a remote-access service built into many ASUS routers, allowing users to stream media or access files from their personal devices as if they were cloud-hosted.

According to the company, the critical vulnerability CVE-2025-59366 stems from an “unintended side effect” of the router’s Samba functionality. This flaw may allow certain functions to be executed without proper authorization.

In its Monday advisory, ASUS urged all customers to update their router firmware to the latest version immediately to ensure protection.

0
0
0
18h ago

CVE-2025-64459

Overview

djangoproject
Django
django

05 Nov 2025

Published

08 Nov 2025

Updated

CVSS

Pending

EPSS

0.01%

MITRE

KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

1 Post

Last activity: 22 hours ago

Bluesky

Securitycipher @securitycipher.bsky.social

️ Critical Flaw: The “Secret Instruction” Hack in Django ORM (CVE-2025–64459) https://medium.com/@MuhammedAsfan/%EF%B8%8F-critical-flaw-the-secret-instruction-hack-in-django-orm-cve-2025-64459-2dfc899a165d?source=rss------bug_bounty-5

0
0
0
22h ago