24h | 7d | 30d

CVE-2024-56089

Overview

  • Pending
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack.

Statistics

  • 1 Post
  • 4 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Technitium has a CVE for it:

cve.org/CVERecord?id=CVE-2024-

  • 0
  • 4
  • 0
  • 15h ago

CVE-2025-12559

Overview

  • Mattermost
  • Mattermost
27 Nov 2025
Published
28 Nov 2025
Updated
CVSS v3.1
MEDIUM (4.3)
EPSS
0.03%
KEV

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 15 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Also:

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 2
  • 0
  • 15h ago

CVE-2025-12419

Overview

  • Mattermost
  • Mattermost
27 Nov 2025
Published
02 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.07%
KEV

Description

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 15 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

And:

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation or admin privileges to take over any user account via manipulation of authentication data during the OAuth completion flow

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 1
  • 0
  • 15h ago

CVE-2025-66401

Overview

  • kapilduraphe
  • mcp-watch
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 7 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

๐Ÿ”ด CVE-2025-66401 (CRITICAL, CVSS 9.8): kapilduraphe mcp-watch โ‰ค0.1.2 is vulnerable to OS command injection via unsanitized githubUrl in cloneRepo. Attackers can execute arbitrary commands remotely. Audit, isolate, and monitor now! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 7h ago

CVE-2025-65403

Overview

  • Pending
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 14 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

BoF in LightFTP.

shimo.im/docs/9030JMJpv4IM4Nkw

A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 1
  • 0
  • 14h ago

CVE-2025-41700

Overview

  • CODESYS
  • CODESYS Development System
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
HIGH (7.8)
EPSS
0.02%
KEV

Description

An unauthenticated attacker can trick a local user into executing arbitrary code by opening a deliberately manipulated CODESYS project file with a CODESYS development system. This arbitrary code is executed in the user context.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 20 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-101
CODESYS Development System - Deserialization of Untrusted Data

A vulnerability has been discovered in the print engine of the CODESYS development system. If a CODESYS project file or archive file was crafted in a specific way, the CODESYS development system could execute arbitrary code when a user opens these files and configures the print/printer options or prints the project or parts of it. This arbitrary code would be executed in the context of the user who was tricked into opening the project.
CVE-2025-41700

certvde.com/en/advisories/vde-

codesys.csaf-tp.certvde.com/.w

  • 0
  • 1
  • 0
  • 20h ago

CVE-2025-58360

Overview

  • geoserver
  • geoserver
25 Nov 2025
Published
25 Nov 2025
Updated
CVSS v3.1
HIGH (8.2)
EPSS
10.15%
KEV

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Statistics

  • 1 Post
Last activity: 21 hours ago

Bluesky

Profile picture
CrowdCyber @crowdcyber.bsky.social
High-Severity GeoServer Flaw (CVE-2025-58360) Allows Unauthenticated XXE for File Theft and SSRF
  • 0
  • 0
  • 0
  • 21h ago

CVE-2025-35028

Overview

  • 0x4m4
  • HexStrike AI
30 Nov 2025
Published
01 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
0.03%
KEV

Description

By providing a command-line argument starting with a semi-colon ; to an API endpoint created by the EnhancedCommandExecutor class of the HexStrike AI MCP server, the resultant composed command is executed directly in the context of the MCP serverโ€™s normal privilege; typically, this is root. There is no attempt to sanitize these arguments in the default configuration of this MCP server at the affected version (as of commit 2f3a5512 in September of 2025).

Statistics

  • 1 Post
Last activity: 15 hours ago

Bluesky

Profile picture
Kevin Poireault @leekthehack.bsky.social
๐Ÿ‘€ VulnWatch Monday: CVE-2025-35028 ๐Ÿ”“ A critical vulnerability was found by the Austin Hackers Association in HexStrike AI MCP server. takeonme.org/cves/cve-202...
  • 0
  • 0
  • 0
  • 15h ago

CVE-2025-41738

Overview

  • CODESYS
  • CODESYS Control RTE (SL)
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.08%
KEV

Description

An unauthenticated remote attacker may cause the visualisation server of the CODESYS Control runtime system to access a resource with a pointer of wrong type, potentially leading to a denial-of-service (DoS) condition.

Statistics

  • 1 Post
Last activity: 20 hours ago

Fediverse

Profile picture
CERT@VDE @certvde

VDE-2025-100
CODESYS Control - Invalid type usage in visualization

A vulnerability in the CODESYS Control runtime system's CmpVisuServer component allows attackers to cause a denial-of-service (DoS) by sending special request to the CODESYS Web- or remote Target Visu. The issue is triggered by an internal read access using a pointer of wrong type.
CVE-2025-41738

certvde.com/en/advisories/vde-

codesys.csaf-tp.certvde.com/.w

  • 0
  • 0
  • 0
  • 20h ago

CVE-2025-13601

Overview

  • glib
26 Nov 2025
Published
27 Nov 2025
Updated
CVSS
Pending
EPSS
0.01%
KEV

Description

A heap-based buffer overflow problem was found in glib through an incorrect calculation of buffer size in the g_escape_uri_string() function. If the string to escape contains a very large number of unacceptable characters (which would need escaping), the calculation of the length of the escaped string could overflow, leading to a potential write off the end of the newly allocated string.

Statistics

  • 1 Post
Last activity: 17 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Security Bulletin: CVE-2025-13601 / glib2 on Fedora 43. The #Fedora project has released glib2 2.86.2 to remediate a critical integer overflow vulnerability (CVE-2025-13601) in the g_escape_uri_string() function. Read more: ๐Ÿ‘‰ tinyurl.com/38fdekuw #Security
  • 0
  • 0
  • 0
  • 17h ago
Showing 11 to 20 of 45 CVEs