24h | 7d | 30d

Overview

  • NVIDIA
  • DGX Spark

25 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.01%

KEV

Description

NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 6 hours ago

Fediverse

Profile picture

NVIDIA has released a critical DGX Spark firmware update addressing 14 vulnerabilities - including CVE-2025-33187 (CVSS 9.3), which enables malicious code execution and access to protected SoC regions.

Firmware flaws in AI workstations can impact model integrity, training data, and system stability.

Organizations using DGX Spark should patch immediately.

Source: cybersecuritynews.com/nvidia-d

What’s your view on firmware security in AI-focused hardware?
Follow us for more analysis.

  • 0
  • 0
  • 0
  • 6h ago

Bluesky

Profile picture
NVIDIA has issued a critical update for DGX Spark after discovering 14 firmware vulnerabilities affecting core system components. CVE-2025-33187 (9.3) poses the highest risk, enabling code execution and potential SoC access. #cybersecurity #NVIDIA #DGXSpark #AIsecurity #CVE #infosec #securitynews
  • 0
  • 1
  • 0
  • 6h ago

Overview

  • Digital Bazaar
  • node-forge

25 Nov 2025
Published
25 Nov 2025
Updated

CVSS
Pending
EPSS
0.06%

KEV

Description

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Statistics

  • 2 Posts

Last activity: 2 hours ago

Fediverse

Profile picture

Popular Forge Library Receives Fix for Signature Verification Bypass Flaw
Source: bleepingcomputer.com/news/secu
A high-severity vulnerability in the node-forge package, a widely used JavaScript cryptography library, has been patched after researchers discovered a method to bypass digital signature verification.
Tracked as CVE-2025-12816, the flaw stems from weaknesses in the library’s ASN.1 validation logic. The issue allowed specially crafted, malformed data to pass signature checks despite being cryptographically invalid.
According to an advisory from Carnegie Mellon CERT-CC, the risk varies by implementation but may include:
Authentication bypass
Tampering with signed data
Misuse or manipulation of certificate-related functionality
CERT-CC noted that environments relying heavily on cryptographic verification could face particularly serious consequences.
The potential impact is amplified by the library’s widespread adoption, with nearly 26 million weekly downloads on the NPM registry.

  • 0
  • 0
  • 0
  • 2h ago

Bluesky

Profile picture
JavaScriptライブラリForgeのCVE-2025-12816とは何か:署名検証不備がもたらすリスク innovatopia.jp/cyber-securi... JavaScriptの暗号ライブラリ「Forge(node-forge)」で見つかった今回の脆弱性は、単なるバグというよりも「信頼の前提」が揺らぐタイプの問題です。署名検証は、送信者の正当性とデータの完全性を支える最後の砦であり、ここがバイパス可能になると、その上に乗っている認証やアップデート配信の安全性そのものが危うくなります。
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Oracle Corporation
  • Identity Manager

21 Oct 2025
Published
22 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
60.96%

Description

Vulnerability in the Identity Manager product of Oracle Fusion Middleware (component: REST WebServices). Supported versions that are affected are 12.2.1.4.0 and 14.1.2.1.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Identity Manager. Successful attacks of this vulnerability can result in takeover of Identity Manager. CVSS 3.1 Base Score 9.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Statistics

  • 2 Posts

Last activity: 7 hours ago

Bluesky

Profile picture
#Barracuda recommends the following actions to secure Oracle Identity Manager against CVE-2025-61757. Check out the #CybersecurityThreatAdvisory to keep your clients protected: https://bit.ly/3Kh7mPV
  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Studio-42
  • elFinder

14 Jun 2021
Published
03 Aug 2024
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
93.47%

KEV

Description

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Several vulnerabilities affect elFinder 2.1.58. These vulnerabilities can allow an attacker to execute arbitrary code and commands on the server hosting the elFinder PHP connector, even with minimal configuration. The issues were patched in version 2.1.59. As a workaround, ensure the connector is not exposed without authentication.

Statistics

  • 1 Post
  • 4 Interactions

Last activity: 22 hours ago

Fediverse

Profile picture

This is, um, *alot* of coordinated, calculated, automation to see where "elFinder" is.

New CVE/0-Day coming?

Starting the 6-week countdown.

viz.greynoise.io/tags/elfinder

  • 1
  • 3
  • 0
  • 22h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 3 Interactions

Last activity: 23 hours ago

Bluesky

Profile picture
At #Pwn2Own2025, our experts Tek & @anyfun.bsky.social remotely compromised a Synology Beestation Plus via a pre-auth exploit, leading to full system takeover. The vuln is now tracked as CVE-2025-12686 🔍 🔗 Full write-up: www.synacktiv.com/en/publicati...
  • 1
  • 2
  • 0
  • 23h ago

Overview

  • Huawei
  • HarmonyOS

28 Nov 2025
Published
28 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.01%

KEV

Description

Permission control vulnerability in the memory management module. Impact: Successful exploitation of this vulnerability may affect confidentiality.

Statistics

  • 1 Post
  • 2 Interactions

Last activity: 10 hours ago

Fediverse

Profile picture

⚠️ CRITICAL: CVE-2025-64314 in Huawei HarmonyOS 5.1.0 enables type confusion attacks via faulty permission controls. Potential for sensitive data exposure—no patch yet. Restrict device access & monitor for updates. radar.offseq.com/threat/cve-20

  • 1
  • 1
  • 0
  • 10h ago

Overview

  • symfony
  • symfony

12 Nov 2025
Published
13 Nov 2025
Updated

CVSS v3.1
HIGH (7.3)
EPSS
0.02%

KEV

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 6 hours ago

Fediverse

Profile picture

#ActuLibre Une faille dans Symfony permet de contourner les règles d'accès - CVE-2025-64500, à lire sur security-sensei.fr/posts/20251 #sécurité #web

  • 1
  • 0
  • 0
  • 6h ago

Overview

  • SDMC
  • NE6037

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.29%

KEV

Description

Firmware in SDMC NE6037 routers prior to version 7.1.12.2.44 has a network diagnostics tool vulnerable to a shell command injection attacks. In order to exploit this vulnerability, an attacker has to log in to the router's administrative portal, which by default is reachable only via LAN ports.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture

🛑 CRITICAL: CVE-2025-8890 affects SDMC NE6037 routers <7.1.12.2.44. OS command injection via LAN admin portal can lead to full takeover. Patch when available, restrict admin access, and monitor activity! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Linux
  • Linux

17 Apr 2024
Published
04 May 2025
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

In the Linux kernel, the following vulnerability has been resolved: net: bridge: switchdev: Skip MDB replays of deferred events on offload Before this change, generation of the list of MDB events to replay would race against the creation of new group memberships, either from the IGMP/MLD snooping logic or from user configuration. While new memberships are immediately visible to walkers of br->mdb_list, the notification of their existence to switchdev event subscribers is deferred until a later point in time. So if a replay list was generated during a time that overlapped with such a window, it would also contain a replay of the not-yet-delivered event. The driver would thus receive two copies of what the bridge internally considered to be one single event. On destruction of the bridge, only a single membership deletion event was therefore sent. As a consequence of this, drivers which reference count memberships (at least DSA), would be left with orphan groups in their hardware database when the bridge was destroyed. This is only an issue when replaying additions. While deletion events may still be pending on the deferred queue, they will already have been removed from br->mdb_list, so no duplicates can be generated in that scenario. To a user this meant that old group memberships, from a bridge in which a port was previously attached, could be reanimated (in hardware) when the port joined a new bridge, without the new bridge's knowledge. For example, on an mv88e6xxx system, create a snooping bridge and immediately add a port to it: root@infix-06-0b-00:~$ ip link add dev br0 up type bridge mcast_snooping 1 && \ > ip link set dev x3 up master br0 And then destroy the bridge: root@infix-06-0b-00:~$ ip link del dev br0 root@infix-06-0b-00:~$ mvls atu ADDRESS FID STATE Q F 0 1 2 3 4 5 6 7 8 9 a DEV:0 Marvell 88E6393X 33:33:00:00:00:6a 1 static - - 0 . . . . . . . . . . 33:33:ff:87:e4:3f 1 static - - 0 . . . . . . . . . . ff:ff:ff:ff:ff:ff 1 static - - 0 1 2 3 4 5 6 7 8 9 a root@infix-06-0b-00:~$ The two IPv6 groups remain in the hardware database because the port (x3) is notified of the host's membership twice: once via the original event and once via a replay. Since only a single delete notification is sent, the count remains at 1 when the bridge is destroyed. Then add the same port (or another port belonging to the same hardware domain) to a new bridge, this time with snooping disabled: root@infix-06-0b-00:~$ ip link add dev br1 up type bridge mcast_snooping 0 && \ > ip link set dev x3 up master br1 All multicast, including the two IPv6 groups from br0, should now be flooded, according to the policy of br1. But instead the old memberships are still active in the hardware database, causing the switch to only forward traffic to those groups towards the CPU (port 0). Eliminate the race in two steps: 1. Grab the write-side lock of the MDB while generating the replay list. This prevents new memberships from showing up while we are generating the replay list. But it leaves the scenario in which a deferred event was already generated, but not delivered, before we grabbed the lock. Therefore: 2. Make sure that no deferred version of a replay event is already enqueued to the switchdev deferred queue, before adding it to the replay list, when replaying additions.

Statistics

  • 1 Post

Last activity: 21 hours ago

Bluesky

Profile picture
🚨 Critical vulnerability alert: CVE-2024-26837 affects MySQL Connector/J (v8.3.0 and prior). Remote attackers can cause DoS. Read more: 👉 tinyurl.com/4jhxk9e9 #Security #OpenSUSE
  • 0
  • 0
  • 0
  • 21h ago

Overview

  • SonicWall
  • SonicOS

23 Aug 2024
Published
21 Oct 2025
Updated

CVSS
Pending
EPSS
7.26%

Description

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Statistics

  • 1 Post

Last activity: 2 hours ago

Fediverse

Profile picture

Akira’s SonicWall Exploits Are Disrupting Large Enterprises
Source: databreachtoday.com/akiras-son
The Akira ransomware group has found a path into large corporate networks by compromising SonicWall SSL VPN devices—hardware typically marketed to small- and medium-sized businesses. Once those firms are acquired by larger enterprises, these devices become high-value entry points for attackers.
Akira began exploiting CVE-2024-40766 between September and December 2024. The flaw was also leveraged by the Fog ransomware group during the same period.
A renewed wave of Akira activity surfaced this past summer, running from late July through at least September. According to Arctic Wolf, the volume and diversity of victims indicate opportunistic mass exploitation, rather than targeted attacks, with impacted organizations spanning multiple industries.

  • 0
  • 0
  • 0
  • 2h ago
Showing 1 to 10 of 21 CVEs