24h | 7d | 30d

CVE-2025-8351

Overview

  • Avast
  • Antivirus
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.0)
EPSS
Pending
KEV

Description

Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98.

Statistics

  • 1 Post
  • 7 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

And another one:

Heap-based Buffer Overflow, Out-of-bounds Read vulnerability in Avast Antivirus on MacOS when scanning a malformed file may allow Local Execution of Code or Denial-of-Service of the anitvirus engine process.This issue affects Antivirus: from 8.3.70.94 before 8.3.70.98.

cve.org/CVERecord?id=CVE-2025-

  • 1
  • 6
  • 0
  • 21h ago

CVE-2025-12421

Overview

  • Mattermost
  • Mattermost
27 Nov 2025
Published
02 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.07%
KEV

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

Statistics

  • 1 Post
  • 4 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

sev:CRIT account takeover in Mattermost.

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to to verify that the token used during the code exchange originates from the same authentication flow, which allows an authenticated user to perform account takeover via a specially crafted email address used when switching authentication methods and sending a request to the /users/login/sso/code-exchange endpoint. The vulnerability requires ExperimentalEnableAuthenticationTransfer to be enabled (default: enabled) and RequireEmailVerification to be disabled (default: disabled).

cve.org/CVERecord?id=CVE-2025-

  • 1
  • 3
  • 0
  • 21h ago

CVE-2023-7304

Overview

  • Ruijie Networks Co., Ltd.
  • RG-UAC
15 Oct 2025
Published
21 Nov 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
3.26%
KEV

Description

Ruijie RG-UAC Application Management Gateway contains a command injection vulnerability via the 'nmc_sync.php' interface. An unauthenticated attacker able to reach the affected endpoint can inject shell commands via crafted request data, causing the application to execute arbitrary commands on the host. Successful exploitation can yield full control of the application process and may lead to system-level access depending on the service privileges. VulnCheck has observed this vulnerability being targeted by the RondoDox botnet campaign.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture
Niels Heinen @heinen

Since a week my honeypots are seeing an increase in attacks targeting CVE-2023-7304 (Ruijie RG-UAC nmc_sync.php Command Injection)

  • 1
  • 0
  • 0
  • 21h ago

CVE-2025-12106

Overview

  • OpenVPN
  • OpenVPN
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

Insufficient argument validation in OpenVPN 2.7_alpha1 through 2.7_rc1 allows an attacker to trigger a heap buffer over-read when parsing IP addresses

Statistics

  • 1 Post
  • 5 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Buffer overread in OpenVPN. See what happens when you enable IPv6?

community.openvpn.net/Security

  • 0
  • 5
  • 0
  • 21h ago

CVE-2025-7007

Overview

  • Avast
  • Antivirus
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.

Statistics

  • 1 Post
  • 5 Interactions
Last activity: 20 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

And another one:

NULL Pointer Dereference vulnerability in Avast Antivirus on MacOS, Avast Anitvirus on Linux when scanning a malformed Windows PE file causes the antivirus process to crash.This issue affects Antivirus: 16.0.0; Anitvirus: 3.0.3.

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 5
  • 0
  • 20h ago

CVE-2024-56089

Overview

  • Pending
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

An issue in Technitium through v13.2.2 enables attackers to conduct a DNS cache poisoning attack and inject fake responses by reviving the birthday attack.

Statistics

  • 1 Post
  • 4 Interactions
Last activity: 22 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Technitium has a CVE for it:

cve.org/CVERecord?id=CVE-2024-

  • 0
  • 4
  • 0
  • 22h ago

CVE-2025-12559

Overview

  • Mattermost
  • Mattermost
27 Nov 2025
Published
28 Nov 2025
Updated
CVSS v3.1
MEDIUM (4.3)
EPSS
0.03%
KEV

Description

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

Also:

Mattermost versions 11.0.x <= 11.0.2, 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12 fail to sanitize team email addresses to be visible only to Team Admins, which allows any authenticated user to view team email addresses via the GET /api/v4/channels/{channel_id}/common_teams endpoint

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 2
  • 0
  • 21h ago

CVE-2025-12419

Overview

  • Mattermost
  • Mattermost
27 Nov 2025
Published
02 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.9)
EPSS
0.07%
KEV

Description

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation privileges to take over a user account via manipulation of authentication data during the OAuth completion flow. This requires email verification to be disabled (default: disabled), OAuth/OpenID Connect to be enabled, and the attacker to control two users in the SSO system with one of them never having logged into Mattermost.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

And:

Mattermost versions 10.12.x <= 10.12.1, 10.11.x <= 10.11.4, 10.5.x <= 10.5.12, 11.0.x <= 11.0.3 fail to properly validate OAuth state tokens during OpenID Connect authentication which allows an authenticated attacker with team creation or admin privileges to take over any user account via manipulation of authentication data during the OAuth completion flow

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 1
  • 0
  • 21h ago

CVE-2025-66401

Overview

  • kapilduraphe
  • mcp-watch
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

MCP Watch is a comprehensive security scanner for Model Context Protocol (MCP) servers. In 0.1.2 and earlier, the MCPScanner class contains a critical Command Injection vulnerability in the cloneRepo method. The application passes the user-supplied githubUrl argument directly to a system shell via execSync without sanitization. This allows an attacker to execute arbitrary commands on the host machine by appending shell metacharacters to the URL.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 13 hours ago

Fediverse

Profile picture
Offensive Sequence @offseq

🔴 CVE-2025-66401 (CRITICAL, CVSS 9.8): kapilduraphe mcp-watch ≤0.1.2 is vulnerable to OS command injection via unsanitized githubUrl in cloneRepo. Attackers can execute arbitrary commands remotely. Audit, isolate, and monitor now! radar.offseq.com/threat/cve-20

  • 0
  • 1
  • 0
  • 13h ago

CVE-2025-65403

Overview

  • Pending
01 Dec 2025
Published
01 Dec 2025
Updated
CVSS
Pending
EPSS
Pending
KEV

Description

A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 20 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

BoF in LightFTP.

shimo.im/docs/9030JMJpv4IM4Nkw

A buffer overflow in the g_cfg.MaxUsers component of LightFTP v2.0 allows attackers to cause a Denial of Service (DoS) via a crafted input.

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 1
  • 0
  • 20h ago
Showing 11 to 20 of 44 CVEs