24h | 7d | 30d

CVE-2025-14847

Overview

  • MongoDB Inc.
  • MongoDB Server
19 Dec 2025
Published
19 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

  • 11 Posts
Last activity: 5 hours ago

Fediverse

Profile picture
:mastodon: decio @decio

[VULN] ⚠️ MongoDB alerte sur une faille à haute gravité et urge de patcher

L'éditeur met en garde contre une vulnérabilité de lecture de mémoire de gravité élevée, qui pourrait être exploitée à distance par des attaquants non authentifiés.
⬇️
🔗 Source originale : bleepingcomputer.com/news/secu

PoC disponible (vecteur simple, peu de prérequis techniques,
surface d’attaque large, exploitation reproductible) 👀 : mongobleed
⬇️
• Impact observé: fuite de fragments de mémoire pouvant contenir des éléments sensibles tels que des journaux internes MongoDB, l’état du serveur, des paramètres WiredTiger, des données de /proc (ex. meminfo, statistiques réseau), des chemins Docker, des UUID de connexion et des IP clients. Le PoC montre des exemples de fuites (p. ex. MemAvailable, compteurs réseau) et indique la quantité totale de données exfiltrées ainsi que le nombre de fragments uniques. ⚠️
( cyberveille.ch/posts/2025-12-2 )

[Advisory officiel]
👇
jira.mongodb.org/browse/SERVER

CVE-2025-14847

typiquement, si vous avez un contrôleur exposé veut mieux verifier les règles firewall pour bloquer...
👇
community.ui.com/questions/Mon

💬
⬇️
infosec.pub/post/39604416

*edit 27.12 enlevé attribution incorrecte de RCE"

  • 0
  • 0
  • 0
  • 23h ago

Bluesky

Profile picture
Bitnewsbot @bitnewsbot.bsky.social
A high-severity flaw, CVE-2025-14847 (CVSS 8.7), can let unauthenticated clients read uninitialized heap memory. The problem stems from mismatched length […]
  • 0
  • 0
  • 0
  • 23h ago
Profile picture
guardian360.bsky.social @guardian360.bsky.social
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of
  • 0
  • 0
  • 0
  • 20h ago
Profile picture
/r/netsec @r-netsec-bot.bsky.social
Mongobleed - CVE-2025-14847
  • 0
  • 0
  • 2
  • 21h ago
Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[25.05] mongodb*: mark vulnerable to CVE-2025-14847 https://github.com/NixOS/nixpkgs/pull/474530 #security
  • 0
  • 0
  • 0
  • 19h ago
Profile picture
WarthogTK @warthogtk.bsky.social
CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory github.com/joe-desimone...
  • 0
  • 0
  • 1
  • 18h ago
Profile picture
Securitycipher @securitycipher.bsky.social
MongoBleed (CVE‑2025‑14847): A Pre‑Auth MongoDB Memory Leak You Can Hunt at Scale https://medium.com/@Black1hp/mongobleed-cve-2025-14847-a-pre-auth-mongodb-memory-leak-you-can-hunt-at-scale-c8faa00f2bdd?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 11h ago
Profile picture
SANS.edu Internet Storm Center @sansisc.bsky.social
SANS Stormcast Sunday, December 28th, 2025: MongoDB Unauthenticated Memory Leak CVE-2025-14847 https://isc.sans.edu/podcastdetail/9750
  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-54322

Overview

  • Xspeeder
  • SXZOS
27 Dec 2025
Published
27 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Statistics

  • 3 Posts
  • 3 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2025-54322 - Critical (10)

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 1
  • 0
  • 0
  • 19h ago

Bluesky

Profile picture
r/blueteamsec bot @r-blueteamsec.bsky.social
CVE-2025-54322 - XSpeeder (SXZOS) pre-auth RCE - Unauthenticated Root RCE affecting ~70,000+ Hosts - Xspeeder is a Chinese networking vendor known for edge devices like routers, SD-WAN appliances, and smart TV controllers.
  • 1
  • 0
  • 0
  • 22h ago
Profile picture
Cyber Kendra @cyberkendra.com
🤖 AI just found its first zero-day vulnerability. CVE-2025-54322 affects 70,000+ industrial network devices worldwide. No authentication needed. Root access. Full Details - www.cyberkendra.com/2025/12/ai-a... #Cybersecurity #AI #ZeroDay #InfoSec #IndustrialSecurity #TechNews #AIHacking
  • 1
  • 0
  • 0
  • 17h ago

CVE-2025-68664

Overview

  • langchain-ai
  • langchain
23 Dec 2025
Published
24 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.05%
KEV

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Statistics

  • 3 Posts
  • 2 Interactions
Last activity: 5 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

A critical vulnerability in LangChain Core (CVE-2025-68664) allows prompt injection and data exposure by enabling attackers to instantiate unsafe objects during serialization and deserialization. This flaw, affecting widely used functions, can lead to secret leakage and potential code execution, with patches available in versions 1.2.5 and 0.3.81.
securityaffairs.com/186185/hac

  • 1
  • 1
  • 0
  • 10h ago
Profile picture
maschmi @inw

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

thehackernews.com/2025/12/crit

> A critical LangChain Core vulnerability (CVE-2025-68664, CVSS 9.3) allows secret theft and prompt injection through unsafe serialization; updates fix

#LangChain #unsafeDeserialization

  • 0
  • 0
  • 0
  • 22h ago

Bluesky

Profile picture
CyberHub @cyberhub.blog
📌 Critical Vulnerability in LangChain Core (CVE-2025-68664) Enables Prompt Injection Attacks https://www.cyberhub.blog/article/17302-critical-vulnerability-in-langchain-core-cve-2025-68664-enables-prompt-injection-attacks
  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-9615

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 10 Interactions
Last activity: 11 hours ago

Fediverse

Profile picture
AerynOS.com @AerynOS

Unstable stream updates: 27th December 2025

Declarative moss system-model export and import tech preview features

Moss now has the ability to use a declarative `/etc/moss/system-model.kdl` to define installed packages and repositories.

In addition, for users who prefer the classic "imperative" moss experience, it is now possible to `moss state --export` a `system-model.kdl` file of the current system to share with others.

In turn, it is also possible to one-shot `moss sync --import` an existing `system-model.kdl` file.

These features are delivered as a tech preview.

Boulder package recipe version string requirements

The Boulder packaging tool now checks for a valid recipe version string (= anything starting with an integer) and errors out if the version string is not valid.

This is necessary because our `ent` package update checking tool compares version strings to determine whether packages need an update, and will give false positives if we have a version string that looks like e.g. `v0.1.2` (note the `v`).

Highlights

- KDE Frameworks 6.21.0
- KMSCon 9.2.1 (currently not enabled by default)
- NVIDIA graphics driver 590.48.01
- discord 0.0.119
- gamescope 3.16.18
- gstreamer 1.26.10
- linux 6.17.13
- mesa 25.3.2
- sudo-rs 0.2.11
- uutils-coreutils 0.5.0
- vlc 3.22
- vscode-bin 1.107.0
- vscodium 1.107.18627
- wine 11.0-rc3
- zed 0.217.3

Other updates

Other updates include, but are not limited to:

- fastfetch
- inetutils
- inputplumber
- libdrm
- libva
- ryzenadj
- solaar
- tzdata
- wireplumber

Fixes

- Disabled LTO for the build of our recipe version checking tool `ent`, which makes `ent check updates` actually work.
- Fixed a sudo issue where using Super+T to open a cosmic-terminal in a Cosmic sesion would make sudo unable to find any commands
- Made cosmic-greeter fall back to branded background

Security Fixes:

- Patches to networkmanager and networkmanager-openvpn for CVE-2025-9615

New packages

- font-awesome-ttf 6.7.2
- lsd 1.2.0 (next gen ls command)
- swayidle 1.9.0
- yazi 25.5.31 (terminal file manager)
- yubikey-manager 5.8.0

github.com/orgs/AerynOS/discus

#AerynOS #Linux #Rust

  • 4
  • 6
  • 0
  • 11h ago

CVE-2025-50165

Overview

  • Microsoft
  • Windows Server 2025 (Server Core installation)
12 Aug 2025
Published
21 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
3.84%
KEV

Description

Untrusted pointer dereference in Microsoft Graphics Component allows an unauthorized attacker to execute code over a network.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 3 hours ago

Fediverse

Profile picture
Patrick C Miller :donor: @patrickcmiller

Revisiting CVE‑2025‑50165: A critical flaw in Windows Imaging Component welivesecurity.com/en/eset-res

  • 2
  • 1
  • 0
  • 3h ago

CVE-2025-55182

Overview

  • Meta
  • react-server-dom-webpack
03 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
46.72%
KEV

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 7 hours ago

Bluesky

Profile picture
CyberHub @cyberhub.blog
📌 CVE-2025-55182 React Server Components Remote Code Execution Vulnerability Analysis https://www.cyberhub.blog/article/17296-cve-2025-55182-react-server-components-rce-vulnerability-analysis
  • 0
  • 1
  • 0
  • 7h ago

CVE-2025-13654

Overview

  • Duc
  • Duc
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

A stack buffer overflow vulnerability exists in the buffer_get function of duc, a disk management tool, where a condition can evaluate to true due to underflow, allowing an out-of-bounds read.

Statistics

  • 1 Post
Last activity: 22 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🔐 Patch Alert for #openSUSE: CVE-2025-13654, a buffer logic error in the 'duc' utility, has been fixed in version 1.4.6. Affects SLE-15-SP7 Backports. Read more: 👉 tinyurl.com/2ezx4vuw #Security
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-9820

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 2 Posts
Last activity: 22 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Technical deep dive: Analyzing CVE-2025-9820 in #GNUTLS's gnutls_pkcs11_token_init. Read more: 👉 tinyurl.com/34z5d5hz #Security #SUSE
  • 0
  • 0
  • 0
  • 23h ago
Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
🚨 SECURITY UPDATE for #openSUSE #SUSE users: Patch GnuTLS now for CVE-2025-9820, a buffer overflow in the PKCS#11 module. Local DoS risk. Read more: 👉 tinyurl.com/55fjtjyn #Security
  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-66738

Overview

  • Pending
26 Dec 2025
Published
27 Dec 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

Statistics

  • 1 Post
Last activity: 17 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🟠 CVE-2025-66738 - High (8.8)

An issue in Yealink T21P_E2 Phone 52.84.0.15 allows a remote normal privileged attacker to execute arbitrary code via a crafted request the ping function of the diagnostic component.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 17h ago

CVE-2025-67499

Overview

  • containernetworking
  • plugins
09 Dec 2025
Published
10 Dec 2025
Updated
CVSS v3.1
MEDIUM (6.6)
EPSS
0.01%
KEV

Description

The CNI portmap plugin allows containers to emulate opening a host port, forwarding that traffic to the container. Versions 1.6.0 through 1.8.0 inadvertently forward all traffic with the same destination port as the host port when the portmap plugin is configured with the nftables backend, thus ignoring the destination IP. This includes traffic not intended for the node itself, i.e. traffic to containers hosted on the node. Containers that request HostPort forwarding can intercept all traffic destined for that port. This requires that the portmap plugin be explicitly configured to use the nftables backend. This issue is fixed in version 1.9.0. To workaround, configure the portmap plugin to use the iptables backend. It does not have this vulnerability.

Statistics

  • 1 Post
Last activity: 21 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
New security advisory: #Fedora 43 has released an urgent patch for SingularityCE, addressing CVE-2025-67499. Read more: 👉 tinyurl.com/3cejjy2e #Security
  • 0
  • 0
  • 0
  • 21h ago
Showing 1 to 10 of 11 CVEs