24h | 7d | 30d

CVE-2025-14847

Overview

  • MongoDB Inc.
  • MongoDB Server
19 Dec 2025
Published
19 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

Mismatched length fields in Zlib compressed protocol headers may allow a read of uninitialized heap memory by an unauthenticated client. This issue affects all MongoDB Server v7.0 prior to 7.0.28 versions, MongoDB Server v8.0 versions prior to 8.0.17, MongoDB Server v8.2 versions prior to 8.2.3, MongoDB Server v6.0 versions prior to 6.0.27, MongoDB Server v5.0 versions prior to 5.0.32, MongoDB Server v4.4 versions prior to 4.4.30, MongoDB Server v4.2 versions greater than or equal to 4.2.0, MongoDB Server v4.0 versions greater than or equal to 4.0.0, and MongoDB Server v3.6 versions greater than or equal to 3.6.0.

Statistics

  • 16 Posts
  • 50 Interactions
Last activity: 2 hours ago

Fediverse

Profile picture
Kevin Beaumont @GossiTheDog

There’s a great blog on detecting MongoBleed exploitation via Velociraptor blog.ecapuano.com/p/hunting-mo

  • 20
  • 30
  • 0
  • 20h ago
Profile picture
Offensive Sequence @offseq

🔍 HIGH severity: MongoDB flaw (CVE-2025-14847) lets unauthenticated users read uninitialized memory via zlib. Affects v3.6–8.2.3. Patch now or disable zlib compression for mitigation. Full details: radar.offseq.com/threat/new-mo

  • 0
  • 0
  • 0
  • 15h ago
Profile picture
:mastodon: decio @decio

[VULN] ⚠️ MongoDB alerte sur une faille à haute gravité et urge de patcher

L'éditeur met en garde contre une vulnérabilité de lecture de mémoire de gravité élevée, qui pourrait être exploitée à distance par des attaquants non authentifiés.
⬇️
🔗 Source originale : bleepingcomputer.com/news/secu

PoC disponible (vecteur simple, peu de prérequis techniques,
surface d’attaque large, exploitation reproductible) 👀 : mongobleed
⬇️
• Impact observé: fuite de fragments de mémoire pouvant contenir des éléments sensibles tels que des journaux internes MongoDB, l’état du serveur, des paramètres WiredTiger, des données de /proc (ex. meminfo, statistiques réseau), des chemins Docker, des UUID de connexion et des IP clients. Le PoC montre des exemples de fuites (p. ex. MemAvailable, compteurs réseau) et indique la quantité totale de données exfiltrées ainsi que le nombre de fragments uniques. ⚠️
( cyberveille.ch/posts/2025-12-2 )

[Advisory officiel]
👇
jira.mongodb.org/browse/SERVER

CVE-2025-14847

typiquement, si vous avez un contrôleur exposé veut mieux verifier les règles firewall pour bloquer...
👇
community.ui.com/questions/Mon

💬
⬇️
infosec.pub/post/39604416

*edit 27.12 enlevé attribution incorrecte de RCE"

  • 0
  • 0
  • 0
  • 15h ago

Bluesky

Profile picture
CyberHub @cyberhub.blog
📌 Critical Unauthenticated Remote Code Execution Vulnerability in MongoDB (CVE-2025-14847) – Patch Immediately https://www.cyberhub.blog/article/17244-critical-unauthenticated-remote-code-execution-vulnerability-in-mongodb-cve-2025-14847-patch-immediately
  • 0
  • 0
  • 1
  • 23h ago
Profile picture
Best of r/cybersecurity @cybersecurity.page
A new unauthorized exploit for MongoDB, CVE-2025-14847, has been released. Users are urged to patch their systems immediately to protect against potential vulnerabilities.
  • 0
  • 0
  • 0
  • 23h ago
Profile picture
Information Security Briefly @infosecbriefly.bsky.social
A zlib-related length-handling bug in MongoDB (CVE-2025-14847) can let unauthenticated clients read uninitialized heap memory; update recommended.
  • 0
  • 0
  • 0
  • 17h ago
Profile picture
r/blueteamsec bot @r-blueteamsec.bsky.social
Linux.Detection.CVE202514847.MongoBleed :: Velociraptor
  • 0
  • 0
  • 0
  • 15h ago
Profile picture
Bitnewsbot @bitnewsbot.bsky.social
A high-severity flaw, CVE-2025-14847 (CVSS 8.7), can let unauthenticated clients read uninitialized heap memory. The problem stems from mismatched length […]
  • 0
  • 0
  • 0
  • 15h ago
Profile picture
guardian360.bsky.social @guardian360.bsky.social
The vulnerability, tracked as CVE-2025-14847 (CVSS score: 8.7), has been described as a case of improper handling of length parameter inconsistency, which arises when a program fails to appropriately tackle scenarios where a length field is inconsistent with the actual length of
  • 0
  • 0
  • 0
  • 12h ago
Profile picture
/r/netsec @r-netsec-bot.bsky.social
Mongobleed - CVE-2025-14847
  • 0
  • 0
  • 2
  • 12h ago
Profile picture
nixpkgs security changes @nixpkgssecuritychanges.gerbet.me
[25.05] mongodb*: mark vulnerable to CVE-2025-14847 https://github.com/NixOS/nixpkgs/pull/474530 #security
  • 0
  • 0
  • 0
  • 10h ago
Profile picture
WarthogTK @warthogtk.bsky.social
CVE-2025-14847 - MongoDB Unauthenticated Memory Leak Exploit A proof-of-concept exploit for the MongoDB zlib decompression vulnerability that allows unauthenticated attackers to leak sensitive server memory github.com/joe-desimone...
  • 0
  • 0
  • 0
  • 9h ago
Profile picture
Securitycipher @securitycipher.bsky.social
MongoBleed (CVE‑2025‑14847): A Pre‑Auth MongoDB Memory Leak You Can Hunt at Scale https://medium.com/@Black1hp/mongobleed-cve-2025-14847-a-pre-auth-mongodb-memory-leak-you-can-hunt-at-scale-c8faa00f2bdd?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 2h ago

CVE-2025-54322

Overview

  • Xspeeder
  • SXZOS
27 Dec 2025
Published
27 Dec 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

Statistics

  • 4 Posts
  • 4 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

🔴 CVE-2025-54322 - Critical (10)

Xspeeder SXZOS through 2025-12-26 allows root remote code execution via base64-encoded Python code in the chkid parameter to vLogin.py. The title and oIP parameters are also used.

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 1
  • 0
  • 0
  • 11h ago

Bluesky

Profile picture
Undercode Testing @undercode.bsky.social
Decoding CVE-2025-54322: A Deep Dive into the XSpeeder SXZOS Pre-Auth RCE 0‑Day + Video Introduction: A critical zero-day vulnerability, tracked as CVE-2025-54322, was publicly disclosed, revealing a pre-authentication Remote Code Execution (RCE) flaw in XSpeeder SXZOS software. The exploit, which…
  • 1
  • 0
  • 0
  • 17h ago
Profile picture
r/blueteamsec bot @r-blueteamsec.bsky.social
CVE-2025-54322 - XSpeeder (SXZOS) pre-auth RCE - Unauthenticated Root RCE affecting ~70,000+ Hosts - Xspeeder is a Chinese networking vendor known for edge devices like routers, SD-WAN appliances, and smart TV controllers.
  • 1
  • 0
  • 0
  • 14h ago
Profile picture
Cyber Kendra @cyberkendra.com
🤖 AI just found its first zero-day vulnerability. CVE-2025-54322 affects 70,000+ industrial network devices worldwide. No authentication needed. Root access. Full Details - www.cyberkendra.com/2025/12/ai-a... #Cybersecurity #AI #ZeroDay #InfoSec #IndustrialSecurity #TechNews #AIHacking
  • 1
  • 0
  • 0
  • 9h ago

CVE-2025-68664

Overview

  • langchain-ai
  • langchain
23 Dec 2025
Published
24 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.05%
KEV

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Statistics

  • 2 Posts
  • 2 Interactions
Last activity: 1 hour ago

Fediverse

Profile picture
ekiledjian @edwardk

A critical vulnerability in LangChain Core (CVE-2025-68664) allows prompt injection and data exposure by enabling attackers to instantiate unsafe objects during serialization and deserialization. This flaw, affecting widely used functions, can lead to secret leakage and potential code execution, with patches available in versions 1.2.5 and 0.3.81.
securityaffairs.com/186185/hac

  • 1
  • 1
  • 0
  • 1h ago
Profile picture
maschmi @inw

Critical LangChain Core Vulnerability Exposes Secrets via Serialization Injection

thehackernews.com/2025/12/crit

> A critical LangChain Core vulnerability (CVE-2025-68664, CVSS 9.3) allows secret theft and prompt injection through unsafe serialization; updates fix

#LangChain #unsafeDeserialization

  • 0
  • 0
  • 0
  • 13h ago

CVE-2020-12812

Overview

  • Fortinet FortiOS
24 Jul 2020
Published
21 Oct 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
45.02%
KEV

Description

An improper authentication vulnerability in SSL VPN in FortiOS 6.4.0, 6.2.0 to 6.2.3, 6.0.9 and below may result in a user being able to log in successfully without being prompted for the second factor of authentication (FortiToken) if they changed the case of their username.

Statistics

  • 2 Posts
Last activity: 18 hours ago

Fediverse

Profile picture
TechNadu @technadu

Fortinet confirms active exploitation of CVE-2020-12812.
A long-standing FortiOS SSL VPN flaw can bypass 2FA due to username case-sensitivity mismatches - especially in legacy deployments.

technadu.com/fortinet-warns-ju

Thoughts on mitigating MFA bypass risks?

  • 0
  • 0
  • 0
  • 18h ago

Bluesky

Profile picture
TechNadu @technadu.com
Fortinet warns attackers are actively exploiting a FortiOS SSL VPN flaw to bypass 2FA. CVE-2020-12812 shows how legacy configs can quietly weaken MFA controls. What’s your take? #Cybersecurity #Fortinet #SSLVPN
  • 0
  • 0
  • 0
  • 18h ago

CVE-2025-9615

Overview

  • Pending
Pending
Published
Pending
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 6 Interactions
Last activity: 2 hours ago

Fediverse

Profile picture
AerynOS.com @AerynOS

Unstable stream updates: 27th December 2025

Declarative moss system-model export and import tech preview features

Moss now has the ability to use a declarative `/etc/moss/system-model.kdl` to define installed packages and repositories.

In addition, for users who prefer the classic "imperative" moss experience, it is now possible to `moss state --export` a `system-model.kdl` file of the current system to share with others.

In turn, it is also possible to one-shot `moss sync --import` an existing `system-model.kdl` file.

These features are delivered as a tech preview.

Boulder package recipe version string requirements

The Boulder packaging tool now checks for a valid recipe version string (= anything starting with an integer) and errors out if the version string is not valid.

This is necessary because our `ent` package update checking tool compares version strings to determine whether packages need an update, and will give false positives if we have a version string that looks like e.g. `v0.1.2` (note the `v`).

Highlights

- KDE Frameworks 6.21.0
- KMSCon 9.2.1 (currently not enabled by default)
- NVIDIA graphics driver 590.48.01
- discord 0.0.119
- gamescope 3.16.18
- gstreamer 1.26.10
- linux 6.17.13
- mesa 25.3.2
- sudo-rs 0.2.11
- uutils-coreutils 0.5.0
- vlc 3.22
- vscode-bin 1.107.0
- vscodium 1.107.18627
- wine 11.0-rc3
- zed 0.217.3

Other updates

Other updates include, but are not limited to:

- fastfetch
- inetutils
- inputplumber
- libdrm
- libva
- ryzenadj
- solaar
- tzdata
- wireplumber

Fixes

- Disabled LTO for the build of our recipe version checking tool `ent`, which makes `ent check updates` actually work.
- Fixed a sudo issue where using Super+T to open a cosmic-terminal in a Cosmic sesion would make sudo unable to find any commands
- Made cosmic-greeter fall back to branded background

Security Fixes:

- Patches to networkmanager and networkmanager-openvpn for CVE-2025-9615

New packages

- font-awesome-ttf 6.7.2
- lsd 1.2.0 (next gen ls command)
- swayidle 1.9.0
- yazi 25.5.31 (terminal file manager)
- yubikey-manager 5.8.0

github.com/orgs/AerynOS/discus

#AerynOS #Linux #Rust

  • 2
  • 4
  • 0
  • 2h ago

CVE-2025-13158

Overview

  • apiDoc
  • apidoc-core
26 Dec 2025
Published
26 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.19%
KEV

Description

Prototype pollution vulnerability in apidoc-core versions 0.2.0 and all subsequent versions allows remote attackers to modify JavaScript object prototypes via malformed data structures, including the “define” property processed by the application, potentially leading to denial of service or unintended behavior in applications relying on the integrity of prototype chains. This affects the preProcess() function in api_group.js, api_param_title.js, api_use.js, and api_permission.js worker modules.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 22 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🔥 CRITICAL: CVE-2025-13158 in apidoc-core (0.2.0+) enables remote prototype pollution via malformed input. Risks: DoS & unpredictable JS app behavior. Audit, sanitize, and isolate now — no patch yet! radar.offseq.com/threat/cve-20

  • 1
  • 0
  • 0
  • 22h ago

CVE-2025-68260

Overview

  • Linux
  • Linux
16 Dec 2025
Published
16 Dec 2025
Updated
CVSS
Pending
EPSS
0.02%
KEV

Description

In the Linux kernel, the following vulnerability has been resolved: rust_binder: fix race condition on death_list Rust Binder contains the following unsafe operation: // SAFETY: A `NodeDeath` is never inserted into the death list // of any node other than its owner, so it is either in this // death list or in no death list. unsafe { node_inner.death_list.remove(self) }; This operation is unsafe because when touching the prev/next pointers of a list element, we have to ensure that no other thread is also touching them in parallel. If the node is present in the list that `remove` is called on, then that is fine because we have exclusive access to that list. If the node is not in any list, then it's also ok. But if it's present in a different list that may be accessed in parallel, then that may be a data race on the prev/next pointers. And unfortunately that is exactly what is happening here. In Node::release, we: 1. Take the lock. 2. Move all items to a local list on the stack. 3. Drop the lock. 4. Iterate the local list on the stack. Combined with threads using the unsafe remove method on the original list, this leads to memory corruption of the prev/next pointers. This leads to crashes like this one: Unable to handle kernel paging request at virtual address 000bb9841bcac70e Mem abort info: ESR = 0x0000000096000044 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x04: level 0 translation fault Data abort info: ISV = 0, ISS = 0x00000044, ISS2 = 0x00000000 CM = 0, WnR = 1, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 [000bb9841bcac70e] address between user and kernel address ranges Internal error: Oops: 0000000096000044 [#1] PREEMPT SMP google-cdd 538c004.gcdd: context saved(CPU:1) item - log_kevents is disabled Modules linked in: ... rust_binder CPU: 1 UID: 0 PID: 2092 Comm: kworker/1:178 Tainted: G S W OE 6.12.52-android16-5-g98debd5df505-4k #1 f94a6367396c5488d635708e43ee0c888d230b0b Tainted: [S]=CPU_OUT_OF_SPEC, [W]=WARN, [O]=OOT_MODULE, [E]=UNSIGNED_MODULE Hardware name: MUSTANG PVT 1.0 based on LGA (DT) Workqueue: events _RNvXs6_NtCsdfZWD8DztAw_6kernel9workqueueINtNtNtB7_4sync3arc3ArcNtNtCs8QPsHWIn21X_16rust_binder_main7process7ProcessEINtB5_15WorkItemPointerKy0_E3runB13_ [rust_binder] pstate: 23400005 (nzCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) pc : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder] lr : _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x464/0x11f8 [rust_binder] sp : ffffffc09b433ac0 x29: ffffffc09b433d30 x28: ffffff8821690000 x27: ffffffd40cbaa448 x26: ffffff8821690000 x25: 00000000ffffffff x24: ffffff88d0376578 x23: 0000000000000001 x22: ffffffc09b433c78 x21: ffffff88e8f9bf40 x20: ffffff88e8f9bf40 x19: ffffff882692b000 x18: ffffffd40f10bf00 x17: 00000000c006287d x16: 00000000c006287d x15: 00000000000003b0 x14: 0000000000000100 x13: 000000201cb79ae0 x12: fffffffffffffff0 x11: 0000000000000000 x10: 0000000000000001 x9 : 0000000000000000 x8 : b80bb9841bcac706 x7 : 0000000000000001 x6 : fffffffebee63f30 x5 : 0000000000000000 x4 : 0000000000000001 x3 : 0000000000000000 x2 : 0000000000004c31 x1 : ffffff88216900c0 x0 : ffffff88e8f9bf00 Call trace: _RNvXs3_NtCs8QPsHWIn21X_16rust_binder_main7processNtB5_7ProcessNtNtCsdfZWD8DztAw_6kernel9workqueue8WorkItem3run+0x450/0x11f8 [rust_binder bbc172b53665bbc815363b22e97e3f7e3fe971fc] process_scheduled_works+0x1c4/0x45c worker_thread+0x32c/0x3e8 kthread+0x11c/0x1c8 ret_from_fork+0x10/0x20 Code: 94218d85 b4000155 a94026a8 d10102a0 (f9000509) ---[ end trace 0000000000000000 ]--- Thus, modify Node::release to pop items directly off the original list.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 19 hours ago

Bluesky

Profile picture
曖昧ナ犬 @aimainainnu.bsky.social
#Linux カーネルの脆弱性(CVE-2025-68260)が修正 - 合同会社ロケットボーイズ 偽のハムスターコンバットでマルウェア配布を確認 · グーグルが標的型攻撃に悪用された ... rocket-boys.co.jp/security-mea...
  • 0
  • 1
  • 0
  • 19h ago

CVE-2025-59718

Overview

  • Fortinet
  • FortiSwitchManager
09 Dec 2025
Published
17 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
5.95%
KEV

Description

A improper verification of cryptographic signature vulnerability in Fortinet FortiOS 7.6.0 through 7.6.3, FortiOS 7.4.0 through 7.4.8, FortiOS 7.2.0 through 7.2.11, FortiOS 7.0.0 through 7.0.17, FortiProxy 7.6.0 through 7.6.3, FortiProxy 7.4.0 through 7.4.10, FortiProxy 7.2.0 through 7.2.14, FortiProxy 7.0.0 through 7.0.21, FortiSwitchManager 7.2.0 through 7.2.6, FortiSwitchManager 7.0.0 through 7.0.5 allows an unauthenticated attacker to bypass the FortiCloud SSO login authentication via a crafted SAML response message.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 19 hours ago

Bluesky

Profile picture
Philippe Vynckier @pvynckier.bsky.social
Sécurité des réseaux, CVE-2025-59718 rappelle la fragilité des chaînes de vérification d’identité - IT SOCIAL itsocial.fr/cybersecurit...
  • 0
  • 1
  • 0
  • 19h ago

CVE-2025-68952

Overview

  • eigent-ai
  • eigent
27 Dec 2025
Published
27 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.33%
KEV

Description

Eigent is a multi-agent Workforce. In version 0.0.60, a 1-click Remote Code Execution (RCE) vulnerability has been identified in Eigent. This vulnerability allows an attacker to execute arbitrary code on the victim's machine or server through a specific interaction (1-click). This issue has been patched in version 0.0.61.

Statistics

  • 1 Post
Last activity: 21 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

CRITICAL: CVE-2025-68952 in eigent-ai Eigent v0.0.60 enables unauthenticated RCE over the network. Patch to 0.0.61 now! Impact: full system compromise, data loss. 🛡️ radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 21h ago

CVE-2025-54236

Overview

  • Adobe
  • Adobe Commerce
09 Sep 2025
Published
24 Oct 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
59.15%
KEV

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture
qian.cx @qiancx.bsky.social
揭秘Adobe Commerce重大漏洞CVE-2025-54236:客户账户安全面临严峻威胁 https://qian.cx/posts/E982DB84-0E30-41C9-8E99-07667913311D
  • 0
  • 0
  • 0
  • 17h ago
Showing 1 to 10 of 17 CVEs