24h | 7d | 30d

Overview

  • Qode Interactive
  • Tiare Membership

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

The Tiare Membership plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.2. This is due to the 'tiare_membership_init_rest_api_register' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Statistics

  • 1 Post

Last activity: 10 hours ago

Fediverse

Profile picture

🚨 CVE-2025-13540 (CRITICAL): Qode Tiare Membership plugin lets unauth'd users register as admins via REST API. All versions ≤1.2 affected. No patch—disable or restrict endpoint ASAP! More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 10h ago

Overview

  • ASUS
  • Router

25 Nov 2025
Published
26 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.10%

KEV

Description

An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture

ASUS warns of new critical auth-bypass flaw in AiCloud routers
bleepingcomputer.com/news/secu

ASUS has issued new firmware updates to address nine security vulnerabilities, including a critical authentication bypass flaw affecting routers with the AiCloud feature enabled.

AiCloud is a remote-access service built into many ASUS routers, allowing users to stream media or access files from their personal devices as if they were cloud-hosted.

According to the company, the critical vulnerability CVE-2025-59366 stems from an “unintended side effect” of the router’s Samba functionality. This flaw may allow certain functions to be executed without proper authorization.

In its Monday advisory, ASUS urged all customers to update their router firmware to the latest version immediately to ensure protection.

  • 0
  • 0
  • 0
  • 5h ago

Overview

  • The Ray Team
  • Anyscale Ray

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.47%

KEV

Description

Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture

🚨 CVE-2025-34351 (CRITICAL): Anyscale Ray 2.52.0 has token auth OFF by default—remote attackers can execute code via mgmt interfaces! Enable RAY_AUTH_MODE=token, restrict access, audit configs. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Automated Logic
  • WebCTRL

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.04%

KEV

Description

The Access Control Bypass vulnerability found in ALC WebCTRL and Carrier i-Vu in versions up to and including 8.5 allows a malicious actor to bypass intended access restrictions and expose sensitive information via the web based building automation server.

Statistics

  • 1 Post

Last activity: 7 hours ago

Bluesky

Profile picture
🚨 CVE-2024-5539 — Carrier WebCTRL / i-Vu Access control bypass exposes sensitive building system data to remote attackers. 🔗 basefortify.eu/cve_reports/... #CVE #Carrier #OTSecurity #ICS
  • 0
  • 0
  • 0
  • 7h ago

Overview

  • djangoproject
  • Django
  • django

05 Nov 2025
Published
08 Nov 2025
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

  • 1 Post

Last activity: 8 hours ago

Bluesky

Profile picture
️ Critical Flaw: The “Secret Instruction” Hack in Django ORM (CVE-2025–64459) https://medium.com/@MuhammedAsfan/%EF%B8%8F-critical-flaw-the-secret-instruction-hack-in-django-orm-cve-2025-64459-2dfc899a165d?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • 8h ago

Overview

  • win.rar GmbH
  • WinRAR

08 Aug 2025
Published
21 Oct 2025
Updated

CVSS v4.0
HIGH (8.4)
EPSS
2.92%

Description

A path traversal vulnerability affecting the Windows version of WinRAR allows the attackers to execute arbitrary code by crafting malicious archive files. This vulnerability was exploited in the wild and was discovered by Anton Cherepanov, Peter Košinár, and Peter Strýček from ESET.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture
Autumn Dragonは中国系と推定され、DLLサイドローディングとWinRARゼロデイ(CVE-2025-8088)を組み合わせた多段階の感染チェーンにより、高度なステルス性と持続性を備えた侵入を実行しています。 特に、政府機関と報道機関を重点標的とした点は、世論形成と政策意思決定の中枢を狙った情報戦と理解すべきでしょう。 この構造は、現在の日本国内で見られる情報空間の混乱や誤報をめぐる現象とも明確な共通性を持っています。
  • 0
  • 0
  • 0
  • Last hour

Overview

  • DirectoryThemes
  • Tiger

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
0.07%

KEV

Description

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Statistics

  • 1 Post

Last activity: 8 hours ago

Fediverse

Profile picture

🚨 CRITICAL: CVE-2025-13675 in DirectoryThemes Tiger (WordPress) allows unauthenticated privilege escalation via 'paypal-submit.php.' All versions ≤101.2.1 affected. Disable the file & monitor admin accounts. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 8h ago

Overview

  • Zenitel
  • TCIV-3+

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
3.18%

KEV

Description

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.

Statistics

  • 1 Post

Last activity: 14 hours ago

Fediverse

Profile picture

🚨 CRITICAL: CVE-2025-64128 (CVSS 10) in Zenitel TCIV-3+—unauthenticated remote OS command injection. No patch yet. Segment, restrict access, monitor for attacks. ICS & public safety devices at risk! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 14h ago

Overview

  • FluentBit
  • FluentBit

24 Nov 2025
Published
24 Nov 2025
Updated

CVSS
Pending
EPSS
0.10%

KEV

Description

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture
📢 Chaîne de 5 vulnérabilités critiques dans Fluent Bit expose les environnements cloud à une prise de contrôle 📝 Selon O… https://cyberveille.ch/posts/2025-11-25-chaine-de-5-vulnerabilites-critiques-dans-fluent-bit-expose-les-environnements-cloud-a-une-prise-de-controle/ #CVE_2025_12972 #Cyberveille
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • FFmpeg

31 Dec 2024
Published
21 Aug 2025
Updated

CVSS
Pending
EPSS
0.32%

KEV

Description

A flaw was found in FFmpeg's HLS playlist parsing. This vulnerability allows a denial of service via a maliciously crafted HLS playlist that triggers a null pointer dereference during initialization.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture
Security Deep Dive: The recently disclosed FFmpeg flaw (CVE-2023-6603) is a classic example of a parser vulnerability in a ubiquitous tool. Read more: 👉 tinyurl.com/ms4s3h83 #Security #Ubuntu
  • 0
  • 0
  • 0
  • Last hour
Showing 11 to 20 of 33 CVEs