Overview
- Edimax
- BR-6478AC V3
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS v4.0
MEDIUM (5.1)
EPSS
Pending
KEV
Description
A vulnerability was detected in Edimax BR-6478AC V3 1.0.15. Impacted is the function sub_416990 of the file /boafrm/formTracerouteDiagnosticRun. The manipulation of the argument host results in os command injection. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Statistics
- 1 Post
- 1 Interaction
Last activity: 2 hours ago
Fediverse
Overview
- WatchGuard
- Fireware OS
04 Dec 2025
Published
05 Dec 2025
Updated
CVSS v4.0
HIGH (7.5)
EPSS
0.04%
KEV
Description
A stack-based buffer overflow vulnerability [CWE-121] in WatchGuard Fireware OS's certificate request command could allow an authenticated privileged user to execute arbitrary code via specially crafted CLI commands.This issue affects Fireware OS: from 12.0 through 12.5.12+701324, from 12.6 through 12.11.2.
Statistics
- 1 Post
- 1 Interaction
Last activity: 21 hours ago
Fediverse
Overview
Description
Out of bounds memory access in V8 in Google Chrome prior to 90.0.4430.85 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Statistics
- 1 Post
- 1 Interaction
Last activity: 23 hours ago
Fediverse
Good introduction to a blog post. I came to it by chance after finishing the work today, relaxing a bit after auditing a state machine, but not as complex as Array.prototype.concat implementation, for sure.
A Bug's Life: CVE-2021-21225
https://tiszka.com/blog/CVE_2021_21225.html
Description
OpenPLC ScadaBR through 0.9.1 on Linux and through 1.12.4 on Windows allows stored XSS via system_settings.shtm.
Statistics
- 1 Post
Last activity: 4 hours ago
Bluesky
📌 CISA Adds OpenPLC ScadaBR XSS Vulnerability (CVE-2021-26829) to Known Exploited Vulnerabilities Catalog https://www.cyberhub.blog/article/16210-cisa-adds-openplc-scadabr-xss-vulnerability-cve-2021-26829-to-known-exploited-vulnerabilities-catalog
Overview
- Docker
- Docker Desktop
20 Aug 2025
Published
25 Sep 2025
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
0.01%
KEV
Description
A vulnerability was identified in Docker Desktop that allows local running Linux containers to access the Docker Engine API via the configured Docker subnet, at 192.168.65.7:2375 by default. This vulnerability occurs with or without Enhanced Container Isolation (ECI) enabled, and with or without the "Expose daemon on tcp://localhost:2375 without TLS" option enabled.
This can lead to execution of a wide range of privileged commands to the engine API, including controlling other containers, creating new ones, managing images etc. In some circumstances (e.g. Docker Desktop for Windows with WSL backend) it also allows mounting the host drive with the same privileges as the user running Docker Desktop.
Statistics
- 1 Post
Last activity: 13 hours ago
Bluesky
Docker修复关键容器逃逸漏洞CVE-2025-9074:全面解读与安全防护指南
https://qian.cx/posts/AD8E8324-D24D-406F-8A2B-1406FC8B7062
Overview
- dripadmin
- CRM Memberships
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.12%
KEV
Description
The CRM Memberships plugin for WordPress is vulnerable to privilege escalation via password reset in all versions up to, and including, 2.5. This is due to missing authorization and authentication checks on the `ntzcrm_changepassword` AJAX action. This makes it possible for unauthenticated attackers to reset arbitrary user passwords and gain unauthorized access to user accounts via the `ntzcrm_changepassword` endpoint, granted they can obtain or enumerate a target user's email address. The plugin also exposes the `ntzcrm_get_users` endpoint without authentication, allowing attackers to enumerate subscriber email addresses, facilitating the exploitation of the password reset vulnerability.
Statistics
- 1 Post
Last activity: 14 hours ago
Fediverse
⚠️ CRITICAL: CVE-2025-13313 in dripadmin CRM Memberships (≤2.5) lets unauth attackers reset user passwords & harvest emails via unprotected AJAX endpoints. Restrict access, monitor for abuse, patch ASAP. Details: https://radar.offseq.com/threat/cve-2025-13313-cwe-862-missing-authorization-in-dr-61158105 #OffSeq #WordPress #ThreatIntel #CVE202513313
Overview
- wphocus
- My auctions allegro
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.06%
KEV
Description
The My auctions allegro plugin for WordPress is vulnerable to SQL Injection via the ‘auction_id’ parameter in all versions up to, and including, 3.6.32 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Statistics
- 1 Post
Last activity: 11 hours ago
Fediverse
🚨 CVE-2025-12850: HIGH severity SQL Injection in My auctions allegro WordPress plugin (all versions ≤3.6.32). Unauthenticated attackers can extract sensitive DB data. Patch when available, use WAF/input validation now. Details: https://radar.offseq.com/threat/cve-2025-12850-cwe-89-improper-neutralization-of-s-a9c55820 #OffSeq #WordPress #Vuln
Overview
Description
Vim is an open source, command line text editor. Prior to version 9.1.1947, an uncontrolled search path vulnerability on Windows allows Vim to execute malicious executables placed in the current working directory for the current edited file. On Windows, when using cmd.exe as a shell, Vim resolves external commands by searching the current working directory before system paths. When Vim invokes tools such as findstr for :grep, external commands or filters via :!, or compiler/:make commands, it may inadvertently run a malicious executable present in the same directory as the file being edited. The issue affects Vim for Windows prior to version 9.1.1947.
Statistics
- 1 Post
Last activity: 19 hours ago
Bluesky
Vim for Windowsに高深刻度の脆弱性 CVE-2025-66476
rocket-boys.co.jp/security-mea...
#セキュリティ対策Lab #セキュリティ #Security
Overview
- pickplugins
- User Verification by PickPlugins
05 Dec 2025
Published
05 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.19%
KEV
Description
The Email Verification, Email OTP, Block Spam Email, Passwordless login, Hide Login, Magic Login – User Verification plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.0.39. This is due to the plugin not properly validating that an OTP was generated before comparing it to user input in the "user_verification_form_wrap_process_otpLogin" function. This makes it possible for unauthenticated attackers to log in as any user with a verified email address, such as an administrator, by submitting an empty OTP value.
Statistics
- 1 Post
Last activity: 12 hours ago
Fediverse
🔥 CRITICAL: CVE-2025-12374 in 'User Verification by PickPlugins' (WP, ≤2.0.39) allows auth bypass via empty OTP—admin takeover possible. Disable plugin or implement WAF rules until patched! https://radar.offseq.com/threat/cve-2025-12374-cwe-287-improper-authentication-in--8c3c4127 #OffSeq #WordPress #CVE202512374
Overview
- Microsoft
- Windows
26 Aug 2025
Published
05 Dec 2025
Updated
CVSS v3.0
HIGH (7.0)
EPSS
0.23%
KEV
Description
Microsoft Windows LNK File UI Misrepresentation Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Microsoft Windows. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.
The specific flaw exists within the handling of .LNK files. Crafted data in an .LNK file can cause hazardous content in the file to be invisible to a user who inspects the file via the Windows-provided user interface. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-25373.
Statistics
- 1 Post
Last activity: 7 hours ago
Bluesky
Microsoft Silently Patched CVE-2025-9491 - We Think Our Patch Provides More Security