Overview
Description
An unauthorised attacker within bluetooth range may use an improper validation during the BLE connection request to deadlock the affected devices.
Statistics
- 1 Post
- 2 Interactions
Last activity: 9 hours ago
Fediverse
#OT #Advisory VDE-2025-089
BLE ICM Vulnerability in JBL Headphones
The BLE controller in certain consumer products fails to properly validate the channel map field in connection requests, enabling attackers within radio range to cause a denial of service through a specially crafted packet.
#CVE CVE-2024-2105
https://certvde.com/en/advisories/vde-2025-089/
#oCSAF #CSAF https://harman.csaf-tp.certvde.com/.well-known/csaf/white/2025/hbsa-2025-0002.json
Overview
- neuron-core
- neuron-ai
10 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
0.06%
KEV
Description
Neuron is a PHP framework for creating and orchestrating AI Agents. In versions 2.8.11 and below, the MySQLWriteTool executes arbitrary SQL provided by the caller using PDO::prepare() + execute() without semantic restrictions. This is consistent with the name (“write tool”), but in an LLM/agent context it becomes a high-risk capability: prompt injection or indirect prompt manipulation can cause execution of destructive queries such as DROP TABLE, TRUNCATE, DELETE, ALTER, or privilege-related statements (subject to DB permissions). Deployments that expose an agent with MySQLWriteTool enabled to untrusted input and/or run the tool with a DB user that has broad privileges are impacted. This issue is fixed in version 2.8.12.
Statistics
- 1 Post
- 1 Interaction
Last activity: 18 hours ago
Fediverse
CRITICAL: CVE-2025-67510 impacts neuron-core neuron-ai (<2.8.12). MySQLWriteTool allows arbitrary SQL via prompt injection—risk of data loss or escalation if DB privileges are broad. Upgrade ASAP! https://radar.offseq.com/threat/cve-2025-67510-cwe-250-execution-with-unnecessary--4cf6ea08 #OffSeq #CVE202567510 #AI #PHP #Security
Overview
- elysiajs
- elysia
09 Dec 2025
Published
09 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.1)
EPSS
0.05%
KEV
Description
Elysia is a Typescript framework for request validation, type inference, OpenAPI documentation and client-server communication. Versions 1.4.0 through 1.4.16 contain a prototype pollution vulnerability in `mergeDeep` after merging results of two standard schema validations with the same key. Due to the ordering of merging, there must be an any type that is set as a standalone guard, to allow for the `__proto__ prop` to be merged. When combined with GHSA-8vch-m3f4-q8jf this allows for a full RCE by an attacker. This issue is fixed in version 1.4.17. To workaround, remove the `__proto__ key` from body.
Statistics
- 1 Post
- 1 Interaction
Last activity: 2 hours ago
Bluesky
‼️ A critical issue has landed for anyone building with Elysia.js. CVE-2025-66456 allows attackers to achieve remote code execution through a prototype-pollution pathway in certain schema-validation flows. buff.ly/RCQHiLI
#ElysiaJS #CVE202566456 #RCE #AppSec #NodeSecurity #TypeScript 🧵1/5
Overview
- D-Link
- DIR-803
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v4.0
MEDIUM (6.9)
EPSS
Pending
KEV
Description
A vulnerability was detected in D-Link DIR-803 up to 1.04. Impacted is an unknown function of the file /getcfg.php of the component Configuration Handler. The manipulation of the argument AUTHORIZED_GROUP results in information disclosure. The attack may be performed from remote. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
- 1 Interaction
Last activity: Last hour
Fediverse
Overview
Description
Deserialization of untrusted data in Windows Server Update Service allows an unauthorized attacker to execute code over a network.
Statistics
- 1 Post
Last activity: 9 hours ago
Bluesky
Hidden in Plain Sight: How a Popular CVE-2025-59287 PoC Threatens Every Pentester’s Workstation
Introduction: The discovery of a malicious Proof-of-Concept (PoC) for CVE-2025-59287 on GitHub underscores a dangerous evolution in cyber threats, where attackers now weaponize the very tools security…
Overview
Description
Ibexa is a composable end-to-end DXP (Digital Experience Platform). Versions 5.0.0-beta1 through 5.0.3 do not have password validation. During the transition from v4 to v5 an error was introduced into validation code which causes the validation of the previous password not to run as expected. This makes it possible for a logged in user to change their password in the back office without knowing the previous password. For example, if a user logs into their account and walks away without locking their workstation, an attacker could access the unattended session and change the password, therefore locking the legitimate user out. This issue is fixed in version 5.0.4.
Statistics
- 1 Post
Last activity: 11 hours ago
Fediverse
CVE-2025-67719 (HIGH): Ibexa (v5.0.0-beta1–5.0.3) lets logged-in users change passwords without verifying the old one. Upgrade to 5.0.4+ ASAP. Monitor for anomalous changes. 🔐 https://radar.offseq.com/threat/cve-2025-67719-cwe-620-unverified-password-change--b84becb0 #OffSeq #Ibexa #Vuln #PasswordSecurity
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
vsock/virtio: Initialization of the dangling pointer occurring in vsk->trans
During loopback communication, a dangling pointer can be created in
vsk->trans, potentially leading to a Use-After-Free condition. This
issue is resolved by initializing vsk->trans to NULL.
Statistics
- 1 Post
Last activity: 1 hour ago
Bluesky
深度解析Linux内核CVE-2024-50264漏洞及创新利用方法 - - Kernel-hack-drill实战分享
https://qian.cx/posts/EDC31586-BC2E-427F-9E22-F0475982FC9E
Overview
Description
In the Linux kernel, the following vulnerability has been resolved:
ext4: guard against EA inode refcount underflow in xattr update
syzkaller found a path where ext4_xattr_inode_update_ref() reads an EA
inode refcount that is already <= 0 and then applies ref_change (often
-1). That lets the refcount underflow and we proceed with a bogus value,
triggering errors like:
EXT4-fs error: EA inode <n> ref underflow: ref_count=-1 ref_change=-1
EXT4-fs warning: ea_inode dec ref err=-117
Make the invariant explicit: if the current refcount is non-positive,
treat this as on-disk corruption, emit ext4_error_inode(), and fail the
operation with -EFSCORRUPTED instead of updating the refcount. Delete the
WARN_ONCE() as negative refcounts are now impossible; keep error reporting
in ext4_error_inode().
This prevents the underflow and the follow-on orphan/cleanup churn.
Statistics
- 1 Post
Last activity: 7 hours ago
Bluesky
CVE-2025-40190 ext4: guard against EA inode refcount underflow in xattr update scq.ms/4rFn7Ro #MicrosoftSecurity #cybersecurity
Overview
- WBCE
- WBCE_CMS
10 Dec 2025
Published
10 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
0.04%
KEV
Description
WBCE CMS is a content management system. In versions 1.6.4 and below, the user management module allows a low-privileged authenticated user with permissions to modify users to execute arbitrary SQL queries. This can be escalated to a full database compromise, data exfiltration, effectively bypassing all security controls. The vulnerability exists in the admin/users/save.php script, which handles updates to user profiles. The script improperly processes the groups[] parameter sent from the user edit form. This issue is fixed in version 1.6.5.
Statistics
- 1 Post
Last activity: 15 hours ago
Fediverse
🚨 CVE-2025-65950: CRITICAL SQL Injection in WBCE CMS (<1.6.5) lets low-priv users with modify rights inject arbitrary SQL. Full DB compromise possible. Patch to 1.6.5+ ASAP! https://radar.offseq.com/threat/cve-2025-65950-cwe-89-improper-neutralization-of-s-dae8c159 #OffSeq #SQLInjection #WBCE #Vuln
Overview
- ApusTheme
- WP CarDealer
11 Dec 2025
Published
11 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%
KEV
Description
The WP CarDealer plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2.16. This is due to the 'WP_CarDealer_User::process_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.
Statistics
- 1 Post
Last activity: 14 hours ago
Fediverse
🚨 CVE-2025-13764 (CRITICAL): ApusTheme WP CarDealer plugin for WordPress lets attackers register as admins—full site compromise! All versions up to 1.2.16 affected. Restrict registration & monitor admin users. https://radar.offseq.com/threat/cve-2025-13764-cwe-269-improper-privilege-manageme-e97de041 #OffSeq #WordPress #Infosec #Vuln