Overview
- Meta
- react-server-dom-parcel
11 Dec 2025
Published
12 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.04%
KEV
Description
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Statistics
- 2 Posts
- 13 Interactions
Last activity: 8 hours ago
Fediverse
Happy patch your React Server Components again Friday to all who celebrate. The patch for CVE-2025-55184 was incomplete and still leaves systems vulnerable to DoS.
https://www.facebook.com/security/advisories/cve-2025-67779
It was found that the fix addressing CVE-2025-55184 in React Server Components was incomplete and does not prevent a denial of service attack in a specific case. React Server Components versions 19.0.2, 19.1.3 and 19.2.2 are affected, allowing unsafe deserialization of payloads from HTTP requests to Server Function endpoints. This can cause an infinite loop that hangs the server process and may prevent future HTTP requests from being served.
Bluesky
~Socket~
New Denial of Service and Source Code Exposure vulnerabilities found in React Server Components require immediate patching.
-
IOCs: CVE-2025-55184, CVE-2025-67779, CVE-2025-55183
-
#NextJS #React #ThreatIntel
Overview
Description
A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Statistics
- 1 Post
- 2 Interactions
Last activity: 17 hours ago
Fediverse
Overview
- Apache Software Foundation
- Apache Airflow
- apache-airflow
23 Oct 2023
Published
13 Feb 2025
Updated
CVSS
Pending
EPSS
0.64%
KEV
Description
Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0.
Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2).
Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.
Statistics
- 1 Post
- 1 Interaction
Last activity: 17 hours ago
Fediverse
Per NVD it's only a 4.3 but it's in the payments system so I'm guessing this is why a Friday update instead of waiting till Monday.
Overview
- notepad-plus-plus
- notepad-plus-plus
23 Jun 2025
Published
23 Oct 2025
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.01%
KEV
Description
Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.
Statistics
- 1 Post
- 1 Interaction
Last activity: 18 hours ago
Fediverse
If you use PDQ, the Notepad++ 8.8.9 auto upgrade package is now available, but may require manual updates to your existing jobs to point to it. Patch that #0day if you haven't already. CVE-2025-49144
Overview
- Growatt
- ShineLan-X
13 Dec 2025
Published
13 Dec 2025
Updated
CVSS v4.0
CRITICAL (9.4)
EPSS
Pending
KEV
Description
ShineLan-X contains a set of credentials for an FTP server was found within the firmware, allowing testers to establish an insecure FTP connection with the server. This may allow an attacker to replace legitimate files being deployed to devices with their own malicious versions, since the firmware signature verification is not enforced.
Statistics
- 1 Post
Last activity: 3 hours ago
Fediverse
🚨 CVE-2025-36747 (CRITICAL, CVSS 9.4): Hard-coded FTP creds in Growatt ShineLan-X 3.6.0.0 allow file tampering—no signature checks! Patch, restrict FTP, and monitor for abuse. https://radar.offseq.com/threat/cve-2025-36747-cwe-798-use-of-hard-coded-credentia-55cb0be8 #OffSeq #CVE202536747 #ICS #Infosec
Overview
- The Qt Company
- Qt
03 Dec 2025
Published
03 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.12%
KEV
Description
Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation.
This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive.
This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0.
Statistics
- 1 Post
Last activity: 6 hours ago
Bluesky
CVE-2025-12385 Improper validation of ![]()
tag size in Text component parser scq.ms/49ZY4lR #SecQube #MicrosoftSecurity
Overview
Description
LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.
Statistics
- 1 Post
Last activity: 10 hours ago
Bluesky
CVE-2025-66293 LIBPNG has an out-of-bounds read in png_image_read_composite scq.ms/48qtwII #SecQube #MicrosoftSecurity
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- libsoup3
23 Oct 2025
Published
11 Dec 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV
Description
A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.
Statistics
- 1 Post
Last activity: 22 hours ago
Bluesky
Just published a deep dive on the latest #Oracle Linux 10 security patch. ELSA-2025-23139 addresses CVE-2025-12105 in the libsoup3 HTTP library. Read more: 👉 tinyurl.com/4jvxyhxe #Security
Overview
- rupok98
- URL Shortener Plugin For WordPress
13 Dec 2025
Published
13 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
The URL Shortener Plugin For WordPress plugin for WordPress is vulnerable to SQL Injection via the ‘analytic_id’ parameter in all versions up to, and including, 3.0.7 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
🚨 CVE-2025-10738 (CRITICAL, CVSS 9.8): Unauthenticated SQL Injection in rupok98 URL Shortener Plugin for WordPress (all versions). Exploitation risks full DB compromise. Disable or restrict plugin ASAP! https://radar.offseq.com/threat/cve-2025-10738-cwe-89-improper-neutralization-of-s-08eed048 #OffSeq #WordPress #SQLi #Infosec
Overview
Description
This CVE is a duplicate of CVE-2025-55182.
Statistics
- 1 Post
Last activity: 9 hours ago
Bluesky
#ばばさん通信ダイジェスト 賛否関わらず話題になった/なりそうなものを共有しています。
Security Advisory: CVE-2025-66478
https://nextjs.org/blog/CVE-2025-66478