24h | 7d | 30d

CVE-2025-13016

Overview

  • Mozilla
  • Firefox
11 Nov 2025
Published
25 Nov 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

Incorrect boundary conditions in the JavaScript: WebAssembly component. This vulnerability affects Firefox < 145, Firefox ESR < 140.5, Thunderbird < 145, and Thunderbird < 140.5.

Statistics

  • 3 Posts
  • 1 Interaction
Last activity: 3 hours ago

Bluesky

Profile picture
ohhara @shiojiri.com
Update Firefox to Patch CVE-2025-13016 Vulnerability Affecting 180 Million Users – Hackread – Cybersecurity News, Data Breaches, Tech, AI, Crypto and More https://hackread.com/update-firefox-patch-cve-2025-13016-vulnerability/
  • 0
  • 1
  • 0
  • 19h ago
Profile picture
CyberHub @cyberhub.blog
📌 Critical Firefox Vulnerability (CVE-2025-13016) Exposes 180 Million Users to Arbitrary Code Execution https://www.cyberhub.blog/article/16006-critical-firefox-vulnerability-cve-2025-13016-exposes-180-million-users-to-arbitrary-code-execution
  • 0
  • 0
  • 0
  • 18h ago
Profile picture
CyberVeille @cyberveille-ch.bsky.social
📢 CVE-2025-13016 : dépassement de tampon dans le moteur WebAssembly de Firefox corrigé (RCE, CVSS 7.5) 📝 Source: AISLE — AISLE détail… https://cyberveille.ch/posts/2025-11-25-cve-2025-13016-depassement-de-tampon-dans-le-moteur-webassembly-de-firefox-corrige-rce-cvss-7-5/ #CVE_2025_13016 #Cyberveille
  • 0
  • 0
  • 0
  • 3h ago

CVE-2025-59373

Overview

  • ASUS
  • MyASUS
25 Nov 2025
Published
25 Nov 2025
Updated
CVSS v4.0
HIGH (8.5)
EPSS
0.01%
KEV

Description

A local privilege escalation vulnerability exists in the restore mechanism of ASUS System Control Interface. It can be triggered when an unprivileged actor copies files without proper validation into protected system paths, potentially leading to arbitrary files being executed as SYSTEM. For more information, please refer to section Security Update for MyASUS in the ASUS Security Advisory.

Statistics

  • 2 Posts
  • 3 Interactions
Last activity: 13 hours ago

Fediverse

Profile picture
TechNadu @technadu

ASUS has patched a high-severity local privilege escalation flaw (CVE-2025-59373) in MyASUS that allowed elevation to NT AUTHORITY/SYSTEM via the System Control Interface Service. Patch now shipped through Windows Update with updated versions for x64 and ARM.

Full details:
technadu.com/asus-fixes-high-s

  • 0
  • 0
  • 0
  • 13h ago

Bluesky

Profile picture
TechNadu @technadu.com
ASUS has issued a fix for a high-severity MyASUS privilege escalation flaw (CVE-2025-59373) that allowed SYSTEM-level access with minimal requirements. Updates are now rolling out through Windows Update. #CyberSecurity #ASUS #InfoSec #WindowsSecurity
  • 1
  • 2
  • 0
  • 13h ago

CVE-2025-66022

Overview

  • factionsecurity
  • faction
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.7)
EPSS
0.18%
KEV

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 16 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

⚠️ CVE-2025-66022: Critical RCE in Faction (<1.7.1). Unauthenticated attackers can upload extensions, execute commands, and fully compromise systems. Patch to 1.7.1 now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

Bluesky

Profile picture
BaseFortify.eu @basefortify.bsky.social
🚨 CVE-2025-66022 — Faction Framework RCE Unauthenticated attackers can upload malicious extensions and execute commands on the server. This is full remote compromise. Patch immediately to v1.7.1. 🔗 basefortify.eu/cve_reports/... #CVE #CyberSecurity #RCE #OpenSource #PatchNow
  • 0
  • 2
  • 0
  • 16h ago

CVE-2025-13601

Overview

  • glib
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Statistics

  • 1 Post
  • 11 Interactions
Last activity: 10 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

That's an avenue that I admit I hadn't thought to check before. Seems so simple though.

access.redhat.com/security/cve

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

  • 3
  • 8
  • 0
  • 10h ago

CVE-2025-37899

Overview

  • Linux
  • Linux
20 May 2025
Published
26 May 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: ksmbd: fix use-after-free in session logoff The sess->user object can currently be in use by another thread, for example if another connection has sent a session setup request to bind to the session being free'd. The handler for that connection could be in the smb2_sess_setup function which makes use of sess->user.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture
Pascal Isman @lascapi

Accessibilité et design

#NotesHebdo

#accessibilité #design #LLM #NotesHebdo #opensource #security

lascapi.fr/blog/2025/11/26/acc

  • 3
  • 0
  • 0
  • 17h ago

CVE-2025-9900

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • libtiff
23 Sep 2025
Published
24 Nov 2025
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

A flaw was found in Libtiff. This vulnerability is a "write-what-where" condition, triggered when the library processes a specially crafted TIFF image file. By providing an abnormally large image height value in the file's metadata, an attacker can trick the library into writing attacker-controlled color data to an arbitrary memory location. This memory corruption can be exploited to cause a denial of service (application crash) or to achieve arbitrary code execution with the permissions of the user.

Statistics

  • 1 Post
  • 4 Interactions
Last activity: 18 hours ago

Fediverse

Profile picture
Chip @bytex64

To be a little more specific about the problem I'm interested in solving, this is a potential building block for an image processing pipeline for ActivityPub software. Mastodon uses ImageMagick, which is an old and well tested image manipulation tool, but it's only as sandboxed as the Mastodon server itself. Any vulnerability in ImageMagick leaves an attacker in a position to do anything the Mastodon server can do. That's an uncomfortable place to be because image library compromise isn't an outlandish possibility. It has happened a lot (check out this recent libtiff CVE: nvd.nist.gov/vuln/detail/CVE-2). And I don't mean to say their developers are bad at what they do. Images are complex and this is a really hard problem!

  • 1
  • 3
  • 0
  • 18h ago

CVE-2025-63938

Overview

  • Pending
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Tinyproxy through 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Hey @Viss :

github.com/rayinaw/my-hub/blob

Tinyproxy up to 1.11.2 contains an integer overflow vulnerability in the strip_return_port() function within src/reqs.c.

  • 1
  • 2
  • 0
  • 9h ago

CVE-2025-66257

Overview

  • DB Electronica Telecomunicazioni S.p.A.
  • Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.07%
KEV

Description

Unauthenticated Arbitrary File Deletion (patch_contents.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform The deletepatch parameter allows unauthenticated deletion of arbitrary files. The `deletepatch` parameter in `patch_contents.php` allows unauthenticated deletion of arbitrary files in `/var/www/patch/` directory without sanitization or access control checks.

Statistics

  • 2 Posts
  • 8 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-66257 (CRITICAL, CVSS 9.2): Mozart FM Transmitters (DB Electronica) allow unauthenticated file deletion via patch_contents.php. Segment networks, monitor traffic, restrict access—patch pending! More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago
Profile picture
cR0w h0 h0 @cR0w

Go hack more radio shit.

abdulmhsblog.com/posts/webfmvu

  • CVE-2025-66259: Authenticated Root RCE (main_ok.php)
  • CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
  • CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
  • CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
  • CVE-2025-66250: Unrestricted File Upload (Status)
  • CVE-2025-66255: Unsigned Firmware Upload
  • CVE-2025-66256: Unrestricted Patch Upload
  • CVE-2025-66251: Path Traversal File Deletion
  • CVE-2025-66254: Arbitrary File Deletion (Upgrade)
  • CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
  • CVE-2025-66260: SQL Injection
  • CVE-2025-66258: Stored XSS via XML Injection
  • CVE-2025-66257: Arbitrary Patch Deletion
  • CVE-2025-66252: Infinite Loop Denial of Service
  • 5
  • 3
  • 0
  • 9h ago

CVE-2025-66261

Overview

  • DB Electronica Telecomunicazioni S.p.A.
  • Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.9)
EPSS
0.93%
KEV

Description

Unauthenticated OS Command Injection (restore_settings.php) in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform URL-decoded name parameter passed to exec() allows remote code execution. The `/var/tdf/restore_settings.php` endpoint passes user-controlled `$_GET["name"]` parameter through `urldecode()` directly into `exec()` without validation or escaping. Attackers can inject arbitrary shell commands using metacharacters (`;`, `|`, `&&`, etc.) to achieve unauthenticated remote code execution as the web server user.

Statistics

  • 2 Posts
  • 8 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CRITICAL (CVSS 9.9): DB Electronica Mozart FM Transmitters (30–7000) vulnerable to unauthenticated OS command injection (CVE-2025-66261) via restore_settings.php. Restrict access, enable WAF/IDS, and monitor now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 19h ago
Profile picture
cR0w h0 h0 @cR0w

Go hack more radio shit.

abdulmhsblog.com/posts/webfmvu

  • CVE-2025-66259: Authenticated Root RCE (main_ok.php)
  • CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
  • CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
  • CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
  • CVE-2025-66250: Unrestricted File Upload (Status)
  • CVE-2025-66255: Unsigned Firmware Upload
  • CVE-2025-66256: Unrestricted Patch Upload
  • CVE-2025-66251: Path Traversal File Deletion
  • CVE-2025-66254: Arbitrary File Deletion (Upgrade)
  • CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
  • CVE-2025-66260: SQL Injection
  • CVE-2025-66258: Stored XSS via XML Injection
  • CVE-2025-66257: Arbitrary Patch Deletion
  • CVE-2025-66252: Infinite Loop Denial of Service
  • 5
  • 3
  • 0
  • 9h ago

CVE-2025-66259

Overview

  • DB Electronica Telecomunicazioni S.p.A.
  • Mozart FM Transmitter
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.36%
KEV

Description

Authenticated Root Remote Code Execution via improrer user input filtering in DB Electronica Telecomunicazioni S.p.A. Mozart FM Transmitter versions 30, 50, 100, 300, 500, 1000, 2000, 3000, 3500, 6000, 7000 allows an attacker to perform in main_ok.php user supplied data/hour/time is passed directly into date shell command

Statistics

  • 2 Posts
  • 8 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2025-66259 hits DB Mozart FM Transmitters (v30-7000) — improper input validation lets authenticated root users execute remote code. Broadcast ops at risk — restrict access & monitor for RCE. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago
Profile picture
cR0w h0 h0 @cR0w

Go hack more radio shit.

abdulmhsblog.com/posts/webfmvu

  • CVE-2025-66259: Authenticated Root RCE (main_ok.php)
  • CVE-2025-66253: Unauthenticated OS Command Injection (Upgrade)
  • CVE-2025-66261: Unauthenticated OS Command Injection (Restore)
  • CVE-2025-66262: Arbitrary File Overwrite (Tar Path Traversal)
  • CVE-2025-66250: Unrestricted File Upload (Status)
  • CVE-2025-66255: Unsigned Firmware Upload
  • CVE-2025-66256: Unrestricted Patch Upload
  • CVE-2025-66251: Path Traversal File Deletion
  • CVE-2025-66254: Arbitrary File Deletion (Upgrade)
  • CVE-2025-66263: Arbitrary File Read (Null Byte Injection)
  • CVE-2025-66260: SQL Injection
  • CVE-2025-66258: Stored XSS via XML Injection
  • CVE-2025-66257: Arbitrary Patch Deletion
  • CVE-2025-66252: Infinite Loop Denial of Service
  • 5
  • 3
  • 0
  • 9h ago
Showing 1 to 10 of 40 CVEs