24h | 7d | 30d

CVE-2025-33187

Overview

  • NVIDIA
  • DGX Spark
25 Nov 2025
Published
26 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.01%
KEV

Description

NVIDIA DGX Spark GB10 contains a vulnerability in SROOT, where an attacker could use privileged access to gain access to SoC protected areas. A successful exploit of this vulnerability might lead to code execution, information disclosure, data tampering, denial of service, or escalation of privileges.

Statistics

  • 2 Posts
  • 1 Interaction
Last activity: 19 hours ago

Fediverse

Profile picture
TechNadu @technadu

NVIDIA has released a critical DGX Spark firmware update addressing 14 vulnerabilities - including CVE-2025-33187 (CVSS 9.3), which enables malicious code execution and access to protected SoC regions.

Firmware flaws in AI workstations can impact model integrity, training data, and system stability.

Organizations using DGX Spark should patch immediately.

Source: cybersecuritynews.com/nvidia-d

What’s your view on firmware security in AI-focused hardware?
Follow us for more analysis.

  • 0
  • 0
  • 0
  • 19h ago

Bluesky

Profile picture
TechNadu @technadu.com
NVIDIA has issued a critical update for DGX Spark after discovering 14 firmware vulnerabilities affecting core system components. CVE-2025-33187 (9.3) poses the highest risk, enabling code execution and potential SoC access. #cybersecurity #NVIDIA #DGXSpark #AIsecurity #CVE #infosec #securitynews
  • 0
  • 1
  • 0
  • 19h ago

CVE-2021-26829

Overview

  • Pending
11 Jun 2021
Published
28 Nov 2025
Updated
CVSS
Pending
EPSS
0.25%
KEV

Description

OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.

Statistics

  • 2 Posts
Last activity: 8 hours ago

Fediverse

Profile picture
Dark Web Informer :verified_paw: @DarkWebInformer

🚨CVE-2021-26829: OpenPLC ScadaBR Cross-site Scripting Vulnerability

Vendor: OpenPLC
Product: ScadaBR
CWE: CWE-79
CVSS: 5.4

This vulnerability has been added to the CISA KEV Catalog.

darkwebinformer.com/cisa-kev-c

  • 0
  • 0
  • 0
  • 8h ago

Bluesky

Profile picture
piggo @pigondrugs.bsky.social
~Cisa~ CISA has added an actively exploited OpenPLC ScadaBR XSS vulnerability (CVE-2021-26829) to its KEV catalog. - IOCs: CVE-2021-26829 - #CVE202126829 #SCADA #ThreatIntel
  • 0
  • 0
  • 0
  • 8h ago

CVE-2025-66270

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 4 Posts
Last activity: 4 hours ago

Bluesky

Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
kdePackages.kdeconnect-kde: fix CVE-2025-66270 https://github.com/NixOS/nixpkgs/pull/465986 #security
  • 0
  • 0
  • 0
  • 11h ago
Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[Backport release-25.05] kdePackages.kdeconnect-kde: fix CVE-2025-66270 https://github.com/NixOS/nixpkgs/pull/466000 #security
  • 0
  • 0
  • 1
  • 10h ago
Profile picture
nixpkgs prs bot @nixpkgs-prs-bot.bsky.social
#466041 terraform-providers.hashicorp_awscc: 1.64.0 -> 1.65.0 #466034 mark: 15.0.0 -> 15.1.0 #466028 python3Packages.accelerate: 1.11.0 -> 1.12.0 #466026 rasm: 3.0 -> 3.0.1 #466012 kanidm_1_8: 1.8.1 -> 1.8.3 #466011 pinact: 3.4.4 -> 3.4.5 #465986 kdePackages.kdeconnect-kde: fix CVE-2025-66270
  • 0
  • 0
  • 0
  • 4h ago

CVE-2025-64500

Overview

  • symfony
  • symfony
12 Nov 2025
Published
13 Nov 2025
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.02%
KEV

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 20 hours ago

Fediverse

Profile picture
Samuel Vermeulen @samvermeulenpro

#ActuLibre Une faille dans Symfony permet de contourner les règles d'accès - CVE-2025-64500, à lire sur security-sensei.fr/posts/20251 #sécurité #web

  • 1
  • 0
  • 0
  • 20h ago

CVE-2025-66022

Overview

  • factionsecurity
  • faction
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.7)
EPSS
0.18%
KEV

Description

FACTION is a PenTesting Report Generation and Collaboration Framework. Prior to version 1.7.1, an extension execution path in Faction’s extension framework permits untrusted extension code to execute arbitrary system commands on the server when a lifecycle hook is invoked, resulting in remote code execution (RCE) on the host running Faction. Due to a missing authentication check on the /portal/AppStoreDashboard endpoint, an attacker can access the extension management UI and upload a malicious extension without any authentication, making this vulnerability exploitable by unauthenticated users. This issue has been patched in version 1.7.1.

Statistics

  • 1 Post
Last activity: 13 hours ago

Bluesky

Profile picture
Kevin Poireault @leekthehack.bsky.social
🔎 VulnWatch Friday: CVE-2025-66022 🔓 A critical vulnerability was discovered in Faction, a pentesting report generation framework developed by Faction Security. 🔧 This issue has been patched in version 1.7.1. 🔎 nvd.nist.gov/vuln/detail/...
  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-58360

Overview

  • geoserver
  • geoserver
25 Nov 2025
Published
25 Nov 2025
Updated
CVSS v3.1
HIGH (8.2)
EPSS
7.96%
KEV

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Statistics

  • 2 Posts
Last activity: 13 hours ago

Bluesky

Profile picture
/r/netsec @r-netsec-bot.bsky.social
CVE-2025-58360: GeoServer XXE Vulnerability Analysis
  • 0
  • 0
  • 1
  • 13h ago

CVE-2024-43451

Overview

  • Microsoft
  • Windows Server 2025
12 Nov 2024
Published
21 Oct 2025
Updated
CVSS v3.1
MEDIUM (6.5)
EPSS
89.99%
KEV

Description

NTLM Hash Disclosure Spoofing Vulnerability

Statistics

  • 1 Post
Last activity: 8 hours ago

Bluesky

Profile picture
CrowdCyber @crowdcyber.bsky.social
Zombie Protocol: How NTLM Flaws Like CVE-2024-43451 Are Haunting 2025
  • 0
  • 0
  • 0
  • 8h ago

CVE-2024-40766

Overview

  • SonicWall
  • SonicOS
23 Aug 2024
Published
21 Oct 2025
Updated
CVSS
Pending
EPSS
7.26%
KEV

Description

An improper access control vulnerability has been identified in the SonicWall SonicOS management access, potentially leading to unauthorized resource access and in specific conditions, causing the firewall to crash. This issue affects SonicWall Firewall Gen 5 and Gen 6 devices, as well as Gen 7 devices running SonicOS 7.0.1-5035 and older versions.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

Akira’s SonicWall Exploits Are Disrupting Large Enterprises
Source: databreachtoday.com/akiras-son
The Akira ransomware group has found a path into large corporate networks by compromising SonicWall SSL VPN devices—hardware typically marketed to small- and medium-sized businesses. Once those firms are acquired by larger enterprises, these devices become high-value entry points for attackers.
Akira began exploiting CVE-2024-40766 between September and December 2024. The flaw was also leveraged by the Fog ransomware group during the same period.
A renewed wave of Akira activity surfaced this past summer, running from late July through at least September. According to Arctic Wolf, the volume and diversity of victims indicate opportunistic mass exploitation, rather than targeted attacks, with impacted organizations spanning multiple industries.

  • 0
  • 0
  • 0
  • 15h ago

CVE-2025-58308

Overview

  • Huawei
  • HarmonyOS
28 Nov 2025
Published
28 Nov 2025
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.01%
KEV

Description

Vulnerability of improper criterion security check in the call module. Impact: Successful exploitation of this vulnerability may cause features to perform abnormally.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

⚠️ HIGH severity: CVE-2025-58308 in Huawei HarmonyOS (5.0.1, 5.1.0, 6.0.0) exposes call module to local exploitation—no patch available. Abnormal feature behavior could lead to data leaks or DoS. Restrict access & monitor! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 23h ago

CVE-2025-12816

Overview

  • Digital Bazaar
  • node-forge
25 Nov 2025
Published
25 Nov 2025
Updated
CVSS
Pending
EPSS
0.06%
KEV

Description

An interpretation-conflict (CWE-436) vulnerability in node-forge versions 1.3.1 and earlier enables unauthenticated attackers to craft ASN.1 structures to desynchronize schema validations, yielding a semantic divergence that may bypass downstream cryptographic verifications and security decisions.

Statistics

  • 1 Post
Last activity: 15 hours ago

Fediverse

Profile picture
ekiledjian @edwardk

Popular Forge Library Receives Fix for Signature Verification Bypass Flaw
Source: bleepingcomputer.com/news/secu
A high-severity vulnerability in the node-forge package, a widely used JavaScript cryptography library, has been patched after researchers discovered a method to bypass digital signature verification.
Tracked as CVE-2025-12816, the flaw stems from weaknesses in the library’s ASN.1 validation logic. The issue allowed specially crafted, malformed data to pass signature checks despite being cryptographically invalid.
According to an advisory from Carnegie Mellon CERT-CC, the risk varies by implementation but may include:
Authentication bypass
Tampering with signed data
Misuse or manipulation of certificate-related functionality
CERT-CC noted that environments relying heavily on cryptographic verification could face particularly serious consequences.
The potential impact is amplified by the library’s widespread adoption, with nearly 26 million weekly downloads on the NPM registry.

  • 0
  • 0
  • 0
  • 15h ago
Showing 1 to 10 of 26 CVEs