Overview
- ESP32Async
- ESPAsyncWebServer
Description
Statistics
- 1 Post
- 6 Interactions
Fediverse

I know a bunch of you nerds like playing with ESP32s, etc.
sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N
ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within
AsyncWebHeader.cpp
. Unsanitized input allows attackers to inject CR (\r
) or LF (\n
) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.
Overview
- Ubiquiti Inc
- UISP Application
Description
Statistics
- 1 Post
- 7 Interactions
Fediverse

Fucking Ubiquiti showing they're the Tesla of networking yet again.
sev:CRIT 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges to escalate privileges.
Overview
Description
Statistics
- 1 Post
- 7 Interactions
Overview
- Canonical
- cloud-init
- cloud-init
Description
Statistics
- 1 Post
- 3 Interactions
Overview
- 5VTechnologies
- Blue Angel Software Suite
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

sigh
sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface.
And those creds are:
blueangel:blueangel
root:abnareum10
root:Admin@tbroad
root:superuser
user:user
guest:guest
Overview
- Pilz
- IndustrialPI 4 with Firmware Bullseye
Description
Statistics
- 1 Post
- 2 Interactions
Fediverse

#OT #Advisory VDE-2025-045
Pilz: Missing Authentication in Node-RED integration
#CVE CVE-2025-41656
https://certvde.com/en/advisories/VDE-2025-045
#CSAF https://pilz.csaf-tp.certvde.com/.well-known/csaf/white/2025/ppsa-2025-002.json
Overview
- Debian
- zulucrypt
Description
Statistics
- 1 Post
- 1 Interaction
Fediverse

That's kind of a fun PrivEsc.
sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.
Overview
- pterodactyl
- panel
Description
Statistics
- 1 Post
- 4 Interactions
Overview
Description
Statistics
- 1 Post
- 4 Interactions
Fediverse

Wait, we're still doing port knocking? I thought that was a lost art that got snuffed out by the "obscurity does not provide security" nerds.
https://github.com/mbuesch/letmein/security/advisories/GHSA-jpv7-p47h-f43j
Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1.
Overview
- ConvoyPanel
- panel
Description
Statistics
- 1 Post
- 3 Interactions
Fediverse

Oh my. Perfect 10 ../
in a KVM server management panel.
https://github.com/ConvoyPanel/panel/security/advisories/GHSA-43g3-qpwq-hfgg
sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.