24h | 7d | 30d

Overview

  • Pending

15 Dec 2025
Published
15 Dec 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.

Statistics

  • 1 Post

Last activity: Last hour

Fediverse

Profile picture

Oh that could be fun.

cve.org/CVERecord?id=CVE-2025-

An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A hardcoded Flickr API key and secret are present in the publicly accessible Flickr Zimlet used by Zimbra Collaboration. Because these credentials are embedded directly in the Zimlet, any unauthorized party could retrieve them and misuse the Flickr integration. An attacker with access to the exposed credentials could impersonate the legitimate application and initiate valid Flickr OAuth flows. If a user is tricked into approving such a request, the attacker could gain access to the user s Flickr data. The hardcoded credentials have since been removed from the Zimlet code, and the associated key has been revoked.

  • 0
  • 0
  • 0
  • Last hour

Overview

  • SourceCodester
  • Warehouse Management System

11 Apr 2024
Published
08 Aug 2024
Updated

CVSS v3.1
LOW (3.5)
EPSS
0.07%

KEV

Description

A vulnerability was found in SourceCodester Warehouse Management System 1.0. It has been rated as problematic. Affected by this issue is some unknown functionality of the file supplier.php. The manipulation of the argument nama_supplier/alamat_supplier/notelp_supplier leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. VDB-260270 is the identifier assigned to this vulnerability.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture
📌 Notepad++ Path Traversal Vulnerability (CVE-2024-3613) Fixed in Version 8.6.9 https://www.cyberhub.blog/article/16776-notepad-path-traversal-vulnerability-cve-2024-3613-fixed-in-version-869
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • NXLog
  • NXLog Agent

14 Dec 2025
Published
15 Dec 2025
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.01%

KEV

Description

NXLog Agent before 6.11 can load a file specified by the OPENSSL_CONF environment variable.

Statistics

  • 1 Post

Last activity: 17 hours ago

Fediverse

Profile picture

⚠️ HIGH severity: CVE-2025-67900 in NXLog Agent <6.11 lets local attackers alter OpenSSL configs via OPENSSL_CONF, risking confidentiality & integrity. Patch to 6.11+ & restrict local access! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 17h ago

Overview

  • Shiguangwu
  • sgwbox N3

15 Dec 2025
Published
15 Dec 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
0.15%

KEV

Description

A vulnerability was identified in Shiguangwu sgwbox N3 2.0.25. This impacts an unknown function of the file /usr/sbin/http_eshell_server of the component NETREBOOT Interface. Such manipulation leads to command injection. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post

Last activity: 13 hours ago

Fediverse

Profile picture

🚨 CVE-2025-14706 (CRITICAL, CVSS 9.3): Shiguangwu sgwbox N3 v2.0.25 has an unpatched remote command injection in /usr/sbin/http_eshell_server. Public exploit, no vendor fix. Isolate, restrict, & monitor now! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 13h ago

Overview

  • Microsoft
  • Windows 11 Version 25H2

09 Dec 2025
Published
12 Dec 2025
Updated

CVSS v3.1
HIGH (7.8)
EPSS
0.05%

KEV

Description

Out-of-bounds read in Windows Cloud Files Mini Filter Driver allows an authorized attacker to elevate privileges locally.

Statistics

  • 1 Post

Last activity: 13 hours ago

Bluesky

Profile picture
CVE-2025-62457 Windows Cloud Files Mini Filter Driver Elevation of Privilege Vulnerability scq.ms/3Yhdc7b #cybersecurity #SecQube
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • pgadmin.org
  • pgAdmin 4

11 Dec 2025
Published
12 Dec 2025
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
0.09%

KEV

Description

pgAdmin versions up to 9.10 are affected by a Remote Code Execution (RCE) vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. This issue allows attackers to inject and execute arbitrary commands on the server hosting pgAdmin, posing a critical risk to the integrity and security of the database management system and underlying data.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture

We discovered a critical pgAdmin vulnerability (CVE-2025-13780): whitespace bypassed a regex meant to block dangerous psql meta-commands.
A great example of why regex is fragile for input validation.

Deep dive:
endorlabs.com/learn/when-regex

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • geoserver
  • geoserver

25 Nov 2025
Published
12 Dec 2025
Updated

CVSS v3.1
HIGH (8.2)
EPSS
71.92%

Description

GeoServer is an open source server that allows users to share and edit geospatial data. From version 2.26.0 to before 2.26.2 and before 2.25.6, an XML External Entity (XXE) vulnerability was identified. The application accepts XML input through a specific endpoint /geoserver/wms operation GetMap. However, this input is not sufficiently sanitized or restricted, allowing an attacker to define external entities within the XML request. This issue has been patched in GeoServer 2.25.6, GeoServer 2.26.3, and GeoServer 2.27.0.

Statistics

  • 1 Post

Last activity: 18 hours ago

Bluesky

Profile picture
📌 CISA Adds OSGeo GeoServer Vulnerability (CVE-2025-58360) to KEV Catalog https://www.cyberhub.blog/article/16768-cisa-adds-osgeo-geoserver-vulnerability-cve-2025-58360-to-kev-catalog
  • 0
  • 0
  • 0
  • 18h ago

Overview

  • argoproj
  • argo-workflows

09 Dec 2025
Published
12 Dec 2025
Updated

CVSS v3.1
HIGH (8.1)
EPSS
0.07%

KEV

Description

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. Versions 3.6.13 and below and versions 3.7.0 through 3.7.4, contain unsafe untar code that handles symbolic links in archives. Concretely, the computation of a link's target and the subsequent check are flawed. An attacker can overwrite the file /var/run/argo/argoexec with a script of their choice, which would be executed at the pod's start. The patch deployed against CVE-2025-62156 is ineffective against malicious archives containing symbolic links. This issue is fixed in versions 3.6.14 and 3.7.5.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture

A patch in Argo Workflows was supposed to fix a ZipSlip issue… but it didn’t.
Our research uncovered CVE-2025-66626 — a validation bug that let malicious tarballs escape the working directory and reach RCE.

Full write-up:
endorlabs.com/learn/when-a-bro

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • geoserver
  • geoserver

01 Jul 2024
Published
21 Oct 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
94.42%

Description

GeoServer is an open source server that allows users to share and edit geospatial data. Prior to versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2, multiple OGC request parameters allow Remote Code Execution (RCE) by unauthenticated users through specially crafted input against a default GeoServer installation due to unsafely evaluating property names as XPath expressions. The GeoTools library API that GeoServer calls evaluates property/attribute names for feature types in a way that unsafely passes them to the commons-jxpath library which can execute arbitrary code when evaluating XPath expressions. This XPath evaluation is intended to be used only by complex feature types (i.e., Application Schema data stores) but is incorrectly being applied to simple feature types as well which makes this vulnerability apply to **ALL** GeoServer instances. No public PoC is provided but this vulnerability has been confirmed to be exploitable through WFS GetFeature, WFS GetPropertyValue, WMS GetMap, WMS GetFeatureInfo, WMS GetLegendGraphic and WPS Execute requests. This vulnerability can lead to executing arbitrary code. Versions 2.22.6, 2.23.6, 2.24.4, and 2.25.2 contain a patch for the issue. A workaround exists by removing the `gt-complex-x.y.jar` file from the GeoServer where `x.y` is the GeoTools version (e.g., `gt-complex-31.1.jar` if running GeoServer 2.25.1). This will remove the vulnerable code from GeoServer but may break some GeoServer functionality or prevent GeoServer from deploying if the gt-complex module is needed.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture
📌 CISA Orders Immediate Patching of Actively Exploited GeoServer RCE Flaw (CVE-2024-36401) https://www.cyberhub.blog/article/16766-cisa-orders-immediate-patching-of-actively-exploited-geoserver-rce-flaw-cve-2024-36401
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Microsoft
  • Windows 11 Version 25H2

09 Dec 2025
Published
12 Dec 2025
Updated

CVSS v3.1
HIGH (8.8)
EPSS
0.08%

KEV

Description

Heap-based buffer overflow in Windows Resilient File System (ReFS) allows an authorized attacker to execute code over a network.

Statistics

  • 1 Post

Last activity: 17 hours ago

Bluesky

Profile picture
CVE-2025-62456 Windows Resilient File System (ReFS) Remote Code Execution Vulnerability scq.ms/4q2ptZe #cybersecurity #SecQube
  • 0
  • 0
  • 0
  • 17h ago
Showing 11 to 20 of 43 CVEs