24h | 7d | 30d

CVE-2025-59366

Overview

  • ASUS
  • Router
25 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.2)
EPSS
0.10%
KEV

Description

An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information.

Statistics

  • 2 Posts
Last activity: 20 hours ago

Fediverse

Profile picture
Jeff Hall - PCIGuru :verified: @jbhall56

The CVE-2025-59366 vulnerability "can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization." bleepingcomputer.com/news/secu

  • 0
  • 0
  • 1
  • 20h ago

CVE-2025-34351

Overview

  • The Ray Team
  • Anyscale Ray
27 Nov 2025
Published
27 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV

Description

Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-34351 (CRITICAL): Anyscale Ray 2.52.0 has token auth OFF by default—remote attackers can execute code via mgmt interfaces! Enable RAY_AUTH_MODE=token, restrict access, audit configs. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

CVE-2025-64459

Overview

  • djangoproject
  • Django
  • django
05 Nov 2025
Published
08 Nov 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture
Securitycipher @securitycipher.bsky.social
️ Critical Flaw: The “Secret Instruction” Hack in Django ORM (CVE-2025–64459) https://medium.com/@MuhammedAsfan/%EF%B8%8F-critical-flaw-the-secret-instruction-hack-in-django-orm-cve-2025-64459-2dfc899a165d?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • Last hour

CVE-2025-13675

Overview

  • DirectoryThemes
  • Tiger
27 Nov 2025
Published
27 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Statistics

  • 1 Post
Last activity: Last hour

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2025-13675 in DirectoryThemes Tiger (WordPress) allows unauthenticated privilege escalation via 'paypal-submit.php.' All versions ≤101.2.1 affected. Disable the file & monitor admin accounts. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

CVE-2025-64128

Overview

  • Zenitel
  • TCIV-3+
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v3.1
CRITICAL (10.0)
EPSS
Pending
KEV

Description

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.

Statistics

  • 1 Post
Last activity: 6 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CRITICAL: CVE-2025-64128 (CVSS 10) in Zenitel TCIV-3+—unauthenticated remote OS command injection. No patch yet. Segment, restrict access, monitor for attacks. ICS & public safety devices at risk! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

CVE-2025-54236

Overview

  • Adobe
  • Adobe Commerce
09 Sep 2025
Published
24 Oct 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
42.76%
KEV

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Statistics

  • 1 Post
Last activity: 19 hours ago

Bluesky

Profile picture
UndercodeTesting @undercode.bsky.social
Magento Mayhem: How a Single Input Validation Flaw Can Cripple Your E-Commerce Store (CVE-2025-54236) Introduction: A critical vulnerability has been identified in Adobe Magento Community Edition, threatening the security of countless e-commerce platforms worldwide. Designated as CVE-2025-54236…
  • 0
  • 0
  • 0
  • 19h ago

CVE-2025-13539

Overview

  • Elated Themes
  • FindAll Membership
27 Nov 2025
Published
27 Nov 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🔒 CRITICAL: CVE-2025-13539 in Elated Themes FindAll Membership (WP) allows auth bypass via social login checks. All versions up to 1.0.4 impacted. Disable plugin, audit users, secure admin emails. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

CVE-2025-12972

Overview

  • FluentBit
  • FluentBit
24 Nov 2025
Published
24 Nov 2025
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.

Statistics

  • 1 Post
Last activity: 11 hours ago

Bluesky

Profile picture
CyberVeille @cyberveille-ch.bsky.social
📢 Chaîne de 5 vulnérabilités critiques dans Fluent Bit expose les environnements cloud à une prise de contrôle 📝 Selon O… https://cyberveille.ch/posts/2025-11-25-chaine-de-5-vulnerabilites-critiques-dans-fluent-bit-expose-les-environnements-cloud-a-une-prise-de-controle/ #CVE_2025_12972 #Cyberveille
  • 0
  • 0
  • 0
  • 11h ago

CVE-2025-26633

Overview

  • Microsoft
  • Windows 10 Version 1809
11 Mar 2025
Published
21 Oct 2025
Updated
CVSS v3.1
HIGH (7.0)
EPSS
9.34%
KEV

Description

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture
CyberNetsecIO @netsecio

📰 Water Gamayun APT Exploits Novel 'MSC EvilTwin' Windows Flaw in Stealthy Attacks

⚠️ Russia-aligned APT Water Gamayun exploits novel 'MSC EvilTwin' Windows flaw (CVE-2025-26633). The attack uses malicious .msc files to proxy PowerShell execution via mmc.exe, bypassing defenses. #APT #Vulnerability #CyberAttack #WaterGamayun

🔗 cyber.netsecops.io/articles/wa

  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-62593

Overview

  • ray-project
  • ray
26 Nov 2025
Published
26 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
Pending
KEV

Description

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0.

Statistics

  • 1 Post
Last activity: 9 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🚨 CVE-2025-62593 (CRITICAL): Ray AI <2.52.0 is vulnerable to RCE via DNS rebinding attacks (Firefox/Safari). Exploit enables unauthenticated code execution. Patch to 2.52.0+ ASAP! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago
Showing 11 to 20 of 40 CVEs