24h | 7d | 30d

Overview

  • SignalK
  • signalk-server

01 Jan 2026
Published
01 Jan 2026
Updated

CVSS v3.1
CRITICAL (9.7)
EPSS
Pending

KEV

Description

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This allows the attacker to hijack the administrator's "Restore" functionality to overwrite critical server configuration files (e.g., `security.json`, `package.json`), leading to account takeover and Remote Code Execution (RCE). Version 2.19.0 patches this vulnerability.

Statistics

  • 1 Post

Last activity: 12 hours ago

Fediverse

Profile picture

🔴 CVE-2025-66398 - Critical (9.6)

Signal K Server is a server application that runs on a central hub in a boat. Prior to version 2.19.0, an unauthenticated attacker can pollute the internal state (`restoreFilePath`) of the server via the `/skServer/validateBackup` endpoint. This a...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 12h ago

Overview

  • feast-dev
  • feast-dev/feast

01 Jan 2026
Published
01 Jan 2026
Updated

CVSS v3.0
HIGH (7.8)
EPSS
0.28%

KEV

Description

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

Statistics

  • 1 Post

Last activity: 23 hours ago

Fediverse

Profile picture

🟠 CVE-2025-11157 - High (7.8)

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises fr...

🔗 thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 23h ago

Overview

  • Python Software Foundation
  • CPython

03 Dec 2025
Published
22 Dec 2025
Updated

CVSS v4.0
MEDIUM (6.3)
EPSS
0.16%

KEV

Description

When building nested elements using xml.dom.minidom methods such as appendChild() that have a dependency on _clear_id_cache() the algorithm is quadratic. Availability can be impacted when building excessively nested documents.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture
Just published a deep dive on #SUSE's critical security advisory (SUSE-SU-2025:4538-1) for CVE-2025-12084. It's more than just a patch note. Read more: 👉 tinyurl.com/4van5vp7 #Security
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Go standard library
  • crypto/tls
  • crypto/tls

29 Oct 2025
Published
04 Nov 2025
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

When Conn.Handshake fails during ALPN negotiation the error contains attacker controlled information (the ALPN protocols sent by the client) which is not escaped.

Statistics

  • 1 Post

Last activity: 16 hours ago

Bluesky

Profile picture
Just published a deep-dive analysis on the recent #Fedora 42 security advisory. It's not just one CVE—it's a coordinated patch for six vulnerabilities in the Go-based Cloud SQL Proxy, headlined by CVE-2025-58189. Read more:👉 tinyurl.com/trwu97dt #Security
  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Pending

22 Dec 2025
Published
22 Dec 2025
Updated

CVSS
Pending
EPSS
8.84%

KEV

Description

A Local File Inclusion (LFI) vulnerability exists in the Webmail Classic UI of Zimbra Collaboration (ZCS) 10.0 and 10.1 because of improper handling of user-supplied request parameters in the RestFilter servlet. An unauthenticated remote attacker can craft requests to the /h/rest endpoint to influence internal request dispatching, allowing inclusion of arbitrary files from the WebRoot directory.

Statistics

  • 2 Posts

Last activity: 15 hours ago

Fediverse

Profile picture

CVE-2025-68645 - A Local File Inclusion (LFI) vulnerability in the Webmail Classic UI of Zimbra Collaboration

github.com/MaxMnMl/zimbramail-

  • 0
  • 0
  • 1
  • 15h ago

Overview

  • Go standard library
  • os/exec
  • os/exec

18 Sep 2025
Published
04 Nov 2025
Updated

CVSS
Pending
EPSS
0.02%

KEV

Description

If the PATH environment variable contains paths which are executables (rather than just directories), passing certain strings to LookPath ("", ".", and ".."), can result in the binaries listed in the PATH being unexpectedly returned.

Statistics

  • 2 Posts

Last activity: 13 hours ago

Bluesky

Profile picture
Just published: An in-depth analysis of the critical #Fedora Delve debugger vulnerability (FEDORA-2025-3591ae9dd3 / CVE-2025-47906). Read more: 👉 tinyurl.com/mvsr65na #Security
  • 0
  • 0
  • 0
  • 16h ago
Profile picture
🚨 CRITICAL UPDATE for #GoLang devs using Google Wire for DI. CVE-2025-47906 allows command execution hijack via os/exec.LookPath. #Fedora 42 patch is live (v0.6.0-14). Read more: 👉 tinyurl.com/ymyv4r67 #Security
  • 0
  • 0
  • 0
  • 13h ago

Overview

  • symfony
  • symfony

12 Nov 2025
Published
13 Nov 2025
Updated

CVSS v3.1
HIGH (7.3)
EPSS
0.02%

KEV

Description

Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony's HttpFoundation component defines an object-oriented layer for the HTTP specification. Starting in version 2.0.0 and prior to version 5.4.50, 6.4.29, and 7.3.7, the `Request` class improperly interprets some `PATH_INFO` in a way that leads to representing some URLs with a path that doesn't start with a `/`. This can allow bypassing some access control rules that are built with this `/`-prefix assumption. Starting in versions 5.4.50, 6.4.29, and 7.3.7, the `Request` class now ensures that URL paths always start with a `/`.

Statistics

  • 1 Post

Last activity: 3 hours ago

Bluesky

Profile picture
CVE-2025-64500: Incorrect parsing of PATH_INFO can lead to limited authorization bypass - Laravel 11.47.0 https://cstu.io/6fd4f5 #python #oneplus #techie
  • 0
  • 0
  • 0
  • 3h ago

Overview

  • Meta
  • react-server-dom-webpack

03 Dec 2025
Published
11 Dec 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
47.37%

Description

A pre-authentication remote code execution vulnerability exists in React Server Components versions 19.0.0, 19.1.0, 19.1.1, and 19.2.0 including the following packages: react-server-dom-parcel, react-server-dom-turbopack, and react-server-dom-webpack. The vulnerable code unsafely deserializes payloads from HTTP requests to Server Function endpoints.

Statistics

  • 1 Post

Last activity: 20 hours ago

Bluesky

Profile picture
A nine-month campaign used React2Shell (CVE-2025-55182) and other N-day flaws to enroll IoT devices and web apps into the RondoDox botnet, deploying miners and Mirai variants.
  • 0
  • 0
  • 0
  • 20h ago

Overview

  • Airoha Technology Corp.
  • AB156x, AB157x, AB158x, AB159x series, AB1627

04 Aug 2025
Published
05 Aug 2025
Updated

CVSS
Pending
EPSS
0.09%

KEV

Description

In the Airoha Bluetooth audio SDK, there is a possible unauthorized access to the RACE protocol. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

  • 1 Post

Last activity: 12 hours ago

Bluesky

Profile picture
💡 Summary: 研究者のディナス・ハインゼとフリーデル・スタインメッツは、多くの人気ヘッドホンやイヤホンに搭載されているAirohaのBluetoothオーディオチップにおいて、3つの重大な脆弱性(CVE-2025-20700、CVE-2025-20701、CVE-2025-20702)を発見しました。これらの欠陥により、デバイスの完全な乗っ取りが可能となり、攻撃者は周辺機器を操作したりなりすましたりできるため、接続されたスマートフォンに対しても脅威となる可能性があります。プレゼンテーションでは、これらのセキュリティリスクを強調し、ソニー、ジャブラ、 (1/2)
  • 0
  • 0
  • 0
  • 12h ago

Overview

  • Airoha Technology Corp.
  • AB156x, AB157x, AB158x, AB159x series

04 Aug 2025
Published
05 Aug 2025
Updated

CVSS
Pending
EPSS
0.07%

KEV

Description

In the Airoha Bluetooth audio SDK, there is a possible way to pair Bluetooth audio device without user consent. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.

Statistics

  • 1 Post

Last activity: 12 hours ago

Bluesky

Profile picture
💡 Summary: 研究者のディナス・ハインゼとフリーデル・スタインメッツは、多くの人気ヘッドホンやイヤホンに搭載されているAirohaのBluetoothオーディオチップにおいて、3つの重大な脆弱性(CVE-2025-20700、CVE-2025-20701、CVE-2025-20702)を発見しました。これらの欠陥により、デバイスの完全な乗っ取りが可能となり、攻撃者は周辺機器を操作したりなりすましたりできるため、接続されたスマートフォンに対しても脅威となる可能性があります。プレゼンテーションでは、これらのセキュリティリスクを強調し、ソニー、ジャブラ、 (1/2)
  • 0
  • 0
  • 0
  • 12h ago
Showing 11 to 20 of 21 CVEs