24h | 7d | 30d

Overview

  • ESP32Async
  • ESPAsyncWebServer

27 Jun 2025
Published
27 Jun 2025
Updated

CVSS v4.0
HIGH (8.7)
EPSS
0.04%

KEV

Description

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within `AsyncWebHeader.cpp`. Unsanitized input allows attackers to inject CR (`\r`) or LF (`\n`) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

Statistics

  • 1 Post
  • 6 Interactions

Fediverse

Profile picture

I know a bunch of you nerds like playing with ESP32s, etc.

sev:HIGH 8.7 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

ESPAsyncWebServer is an asynchronous HTTP and WebSocket server library for ESP32, ESP8266, RP2040 and RP2350. In versions up to and including 3.7.8, a CRLF (Carriage Return Line Feed) injection vulnerability exists in the construction and output of HTTP headers within AsyncWebHeader.cpp. Unsanitized input allows attackers to inject CR (\r) or LF (\n) characters into header names or values, leading to arbitrary header or response manipulation. Manipulation of HTTP headers and responses can enable a wide range of attacks, making the severity of this vulnerability high. A fix is available at pull request 211 and is expected to be part of version 3.7.9.

nvd.nist.gov/vuln/detail/CVE-2

  • 4
  • 2
  • 21 hours ago

Overview

  • Ubiquiti Inc
  • UISP Application

29 Jun 2025
Published
30 Jun 2025
Updated

CVSS v3.0
CRITICAL (9.9)
EPSS
0.03%

KEV

Description

Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges to escalate privileges.

Statistics

  • 1 Post
  • 7 Interactions

Fediverse

Profile picture

Fucking Ubiquiti showing they're the Tesla of networking yet again.

community.ui.com/releases/Secu

sev:CRIT 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Multiple Authenticated SQL Injection vulnerabilities found in UISP Application (Version 2.4.206 and earlier) could allow a malicious actor with low privileges to escalate privileges.

nvd.nist.gov/vuln/detail/CVE-2

  • 2
  • 5
  • 21 hours ago

Overview

  • Pending

24 Jun 2025
Published
24 Jun 2025
Updated

CVSS
Pending
EPSS
0.05%

KEV

Description

An issue in Realtek RTL8762EKF-EVB RTL8762E SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted before a pairing public key is received during a Bluetooth connection attempt.

Statistics

  • 1 Post
  • 7 Interactions

Fediverse

Profile picture

Get your Flippers out.

github.com/yangting111/BLE_TES

An issue in Realtek RTL8762EKF-EVB RTL8762E SDK v1.4.0 allows attackers to cause a Denial of Service (DoS) via sending a crafted before a pairing public key is received during a Bluetooth connection attempt.

nvd.nist.gov/vuln/detail/CVE-2

  • 2
  • 5
  • 15 hours ago

Overview

  • Canonical
  • cloud-init
  • cloud-init

26 Jun 2025
Published
26 Jun 2025
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.02%

KEV

Description

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Wat

sev:HIGH 8.8 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

When a non-x86 platform is detected, cloud-init grants root access to a hardcoded url with a local IP address. To prevent this, cloud-init default configurations disable platform enumeration.

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 2
  • 21 hours ago

Overview

  • 5VTechnologies
  • Blue Angel Software Suite

24 Jun 2025
Published
24 Jun 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.05%

KEV

Description

A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

sigh

sev:CRIT 9.3 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

A hardcoded credential vulnerability exists in the Blue Angel Software Suite deployed on embedded Linux systems. The application contains multiple known default and hardcoded user accounts that are not disclosed in public documentation. These accounts allow unauthenticated or low-privilege attackers to gain administrative access to the device’s web interface.

And those creds are:

blueangel:blueangel
root:abnareum10
root:Admin@tbroad
root:superuser
user:user
guest:guest

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 2
  • 16 hours ago

Overview

  • Pilz
  • IndustrialPI 4 with Firmware Bullseye

01 Jul 2025
Published
01 Jul 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
Pending

KEV

Description

An unauthenticated remote attacker can run arbitrary commands on the affected devices with high privileges because the authentication for the Node_RED server is not configured by default.

Statistics

  • 1 Post
  • 2 Interactions

Fediverse

Profile picture
  • 1
  • 1
  • 3 hours ago

Overview

  • Debian
  • zulucrypt

28 Jun 2025
Published
30 Jun 2025
Updated

CVSS v3.1
CRITICAL (9.3)
EPSS
0.01%

KEV

Description

The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.

Statistics

  • 1 Post
  • 1 Interaction

Fediverse

Profile picture

That's kind of a fun PrivEsc.

sev:CRIT 9.3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

The Debian zuluPolkit/CMakeLists.txt file for zuluCrypt through the zulucrypt_6.2.0-1 package has insecure PolicyKit allow_any/allow_inactive/allow_active settings that allow a local user to escalate their privileges to root.

nvd.nist.gov/vuln/detail/CVE-2

  • 1
  • 0
  • 21 hours ago

Overview

  • pterodactyl
  • panel

20 Jun 2025
Published
20 Jun 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
23.69%

KEV

Description

Pterodactyl is a free, open-source game server management panel. Prior to version 1.11.11, using the /locales/locale.json with the locale and namespace query parameters, a malicious actor is able to execute arbitrary code without being authenticated. With the ability to execute arbitrary code it could be used to gain access to the Panel's server, read credentials from the Panel's config, extract sensitive information from the database, access files of servers managed by the panel, etc. This issue has been patched in version 1.11.11. There are no software workarounds for this vulnerability, but use of an external Web Application Firewall (WAF) could help mitigate this attack.

Statistics

  • 1 Post
  • 4 Interactions

Fediverse

Profile picture

FYI: There is a ton of scanning for this one for some reason.

/locales/locale.json?locale=../../../pterodactyl&namespace=config/database

/locales/locale.json?locale=../../config/&namespace=database

github.com/Zen-kun04/CVE-2025-

  • 0
  • 4
  • 13 hours ago

Overview

  • mbuesch
  • letmein

24 Jun 2025
Published
24 Jun 2025
Updated

CVSS v4.0
LOW (1.7)
EPSS
0.06%

KEV

Description

Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1.

Statistics

  • 1 Post
  • 4 Interactions

Fediverse

Profile picture

Wait, we're still doing port knocking? I thought that was a lost art that got snuffed out by the "obscurity does not provide security" nerds.

github.com/mbuesch/letmein/sec

Letmein is an authenticating port knocker. Prior to version 10.2.1, The connection limiter is implemented incorrectly. It allows an arbitrary amount of simultaneously incoming connections (TCP, UDP and Unix socket) for the services letmeind and letmeinfwd. Therefore, the command line option num-connections is not effective and does not limit the number of simultaneously incoming connections. This issue has been patched in version 10.2.1.

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 4
  • 15 hours ago

Overview

  • ConvoyPanel
  • panel

23 Jun 2025
Published
24 Jun 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
1.48%

KEV

Description

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.

Statistics

  • 1 Post
  • 3 Interactions

Fediverse

Profile picture

Oh my. Perfect 10 ../ in a KVM server management panel.

github.com/ConvoyPanel/panel/s

sev:CRIT 10.0 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Convoy is a KVM server management panel for hosting businesses. In versions 3.9.0-rc3 to before 4.4.1, there is a directory traversal vulnerability in the LocaleController component of Performave Convoy. An unauthenticated remote attacker can exploit this vulnerability by sending a specially crafted HTTP request with malicious locale and namespace parameters. This allows the attacker to include and execute arbitrary PHP files on the server. This issue has been patched in version 4.4.1. A temporary workaround involves implementing strict Web Application Firewall (WAF) rules to incoming requests targeting the vulnerable endpoints.

nvd.nist.gov/vuln/detail/CVE-2

  • 0
  • 3
  • 16 hours ago
Showing 11 to 20 of 104 CVEs