24h | 7d | 30d

CVE-2025-36911

Overview

  • Google
  • Android
15 Jan 2026
Published
15 Jan 2026
Updated
CVSS
Pending
EPSS
0.00%
KEV

Description

In key-based pairing, there is a possible ID due to a logic error in the code. This could lead to remote (proximal/adjacent) information disclosure of user's conversations and location with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

  • 1 Post
  • 4 Interactions
Last activity: Last hour

Fediverse

Profile picture
Christoph Schmees @PC_Fluesterer

Google „Fast Pair“ ist Sicherheitsrisiko

Hier kann man wieder sehen, dass "Komfort" (oder was auch immer die Amerikaner dafür halten) ein natürlicher Feind Sicherheit ist. Google hatte ein Verfahren namens Fast Pair ersonnen, das die Kopplung von Bluetooth (BT) Zubehörgeräten mit Android vereinfachen soll. Gut gedacht, schlecht gemacht. Forschende der Uni Leuven (Belgien) haben schon im vorigen Jahr eine Schwachstelle in dem System gefunden und vertraulich an Google gemeldet. Wann genau das war, ist nirgends dokumentiert. Die zugeordnete Fehlernummer CVE-2025-36911 muss (aus der Zahl zu schließen) ungefähr um die Jahresmitte vergeben worden sein.
Die Schwachstelle

pc-fluesterer.info/wordpress/2

#Empfehlung #Mobilfunk #Warnung #android #bluetooth #google #hersteller #sicherheit #vorbeugen

  • 2
  • 2
  • 0
  • Last hour

CVE-2025-8581

Overview

  • Google
  • Chrome
07 Aug 2025
Published
07 Aug 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

Inappropriate implementation in Extensions in Google Chrome prior to 139.0.7258.66 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture
OWASP Ottawa @OWASP_Ottawa

Reminder this Wednesday.

🚨 OWASP Ottawa January Meetup – Featuring Vincent Dragnea! 🚨

is excited to announce that we are hosting our first monthly meetup of the year! We’re thrilled to welcome Vincent Dragnea to our in-person meetup at the University of Ottawa on January 21, 2026.

RSVP at:

meetup.com/owasp-ottawa/events/312793912

📅 Date: January 21, 2026
⏰ Time: 6:00 PM EST – Arrival, networking & pizza 🍕
6:30 PM EST – Technical Talks
📍 Location: 150 Louis-Pasteur Private, University of Ottawa, Room 117
🎙️ Talk: "SameSite...or not? Bypassing SameSite cookie protections in browsers"

SameSite cookies are often relied upon too heavily to prevent cross-site request forgery, yet, due to browser implementations, these cookies can be included in unexpected requests. This talk demonstrates novel techniques to attach SameSite=Strict cookies to GET requests originating from another site, including a Google Chrome vulnerability (CVE-2025-8581) discovered while researching these methods. This material aims to help researchers identify insecure behaviors, as well as teach developers how to avoid them.

📺 Can’t make it in person? Watch live on the YouTube channel at youtube.com/@OWASP_Ottawa

  • 2
  • 0
  • 0
  • 15h ago

CVE-2025-59287

Overview

  • Microsoft
  • Windows Server 2019
14 Oct 2025
Published
02 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
73.53%
KEV

Description

Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 18 hours ago

Fediverse

Profile picture
CrowdSec @CrowdSec

🚨 This week’s CrowdSec Threat Alert article highlights CVE-2025-59287, a critical WSUS RCE being actively probed and exploited in real-world environments.

Dive into the data, attack patterns, and mitigation steps 👉 crowdsec.net/vulntracking-repo

  • 2
  • 0
  • 0
  • 18h ago

CVE-2025-14847

Overview

  • MongoDB Inc.
  • MongoDB Server
19 Dec 2025
Published
12 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
22.64%
KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 4 hours ago

Fediverse

Profile picture
Brad @malware_traffic

2026-01-19 (Monday): Catching up on two infections in my lab from last week, and I added an entry with a of scans and probes and web traffic hitting my web server.

I attempted to set up MongoDB on my server to detect any "MongoBleed" CVE-2025-14847 activity, but I was unable to configure the server properly.

I opened TCP port 27017 on my Apache web server, and I'm only receiving web scans/probes on that port.

Feel free to check out my latest posts at malware-traffic-analysis.net/2

Or not. I'm not your parent. I can't tell you what to do.

  • 0
  • 2
  • 0
  • 4h ago

CVE-2026-23838

Overview

  • NixOS
  • nixpkgs
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

Tandoor Recipes is a recipe manager than can be installed with the Nix package manager. Starting in version 23.05 and prior to version 26.05, when using the default configuration of Tandoor Recipes, specifically using SQLite and default `MEDIA_ROOT`, the full database file may be externally accessible, potentially on the Internet. The root cause is that the NixOS module configures the working directory of Tandoor Recipes, as well as the value of `MEDIA_ROOT`, to be `/var/lib/tandoor-recipes`. This causes Tandoor Recipes to create its `db.sqlite3` database file in the same directory as `MEDIA_ROOT` causing it to be accessible without authentication through HTTP like any other media file. This is the case when using `GUNICORN_MEDIA=1` or when using a web server like nginx to serve media files. NixOS 26.05 changes the default value of `MEDIA_ROOT` to a sub folder of the data directory. This only applies to configurations with `system.stateVersion` >= 26.05. For older configurations, one of the workarounds should be applied instead. NixOS 25.11 has received a backport of this patch, though it doesn't fix this vulnerability without user intervention. A recommended workaround is to move `MEDIA_ROOT` into a subdirectory. Non-recommended workarounds include switching to PostgreSQL or disallowing access to `db.sqlite3`.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 14 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
Security Advisory: SQLite database externally accessible with the default settings of Tandoor Recipes module (CVE-2026-23838) discourse.nixos.org/t/security-a... #security #nixos #nixpkgs
  • 0
  • 1
  • 0
  • 14h ago

CVE-2026-20965

Overview

  • Microsoft
  • Windows Admin Center in Azure Portal
13 Jan 2026
Published
16 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.02%
KEV

Description

Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 12 hours ago

Fediverse

Profile picture
Dark Web Informer :verified_paw: @DarkWebInformer

‼️CVE-2026-20965: Windows Admin Center Azure SSO Flaw Risks Tenant-Wide Compromise

Details: Improper verification of cryptographic signature in Windows Admin Center allows an authorized attacker to elevate privileges locally.

CVSS: 7.5
CVE Published: January 13th, 2026

Advisory: msrc.microsoft.com/update-guid

Writeup: cymulate.com/blog/cve-2026-209

  • 0
  • 1
  • 0
  • 12h ago

CVE-2026-1157

Overview

  • Totolink
  • LR350
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-1157 - High (8.8)

A vulnerability was identified in Totolink LR350 9.3.5u.6369_B20220309. This affects the function setWiFiEasyCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument ssid leads to buffer overflow. It is possible to launch the attack...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 17h ago

CVE-2025-41768

Overview

  • Beckhoff Automation
  • TwinCAT.HMI.Server
20 Jan 2026
Published
20 Jan 2026
Updated
CVSS v3.1
MEDIUM (5.5)
EPSS
Pending
KEV

Description

On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-106
Beckhoff: XSS Vulnerability in TwinCAT 3 HMI Server

On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.
CVE-2025-41768

certvde.com/en/advisories/vde-

beckhoff.csaf-tp.certvde.com/.

  • 0
  • 0
  • 0
  • Last hour

CVE-2026-23842

Overview

  • gunthercox
  • ChatterBot
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.

Statistics

  • 1 Post
Last activity: 12 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-23842 - High (7.5)

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent ...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 12h ago

CVE-2026-23949

Overview

  • jaraco
  • jaraco.context
20 Jan 2026
Published
20 Jan 2026
Updated
CVSS v3.1
HIGH (8.6)
EPSS
Pending
KEV

Description

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0. The vulnerability may allow attackers to extract files outside the intended extraction directory when malicious tar archives are processed. The strip_first_component filter splits the path on the first `/` and extracts the second component, while allowing `../` sequences. Paths like `dummy_dir/../../etc/passwd` become `../../etc/passwd`. Note that this suffers from a nested tarball attack as well with multi-level tar files such as `dummy_dir/inner.tar.gz`, where the inner.tar.gz includes a traversal `dummy_dir/../../config/.env` that also gets translated to `../../config/.env`. Version 6.1.0 contains a patch for the issue.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2026-23949 - High (8.6)

jaraco.context, an open-source software package that provides some useful decorators and context managers, has a Zip Slip path traversal vulnerability in the `jaraco.context.tarball()` function starting in version 5.2.0 and prior to version 6.1.0....

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 6h ago
Showing 1 to 10 of 146 CVEs