24h | 7d | 30d

CVE-2018-4063

Overview

  • Sierra Wireless
06 May 2019
Published
13 Dec 2025
Updated
CVSS
Pending
EPSS
0.18%
KEV

Description

An exploitable remote code execution vulnerability exists in the upload.cgi functionality of Sierra Wireless AirLink ES450 FW 4.9.3. A specially crafted HTTP request can upload a file, resulting in executable code being uploaded, and routable, to the webserver. An attacker can make an authenticated HTTP request to trigger this vulnerability.

Statistics

  • 2 Posts
Last activity: 6 hours ago

Fediverse

Profile picture
Dark Web Informer :verified_paw: @DarkWebInformer

🚨 Two more vulnerabilities have been added to the CISA KEV Catalog

CVE-2018-4063: Sierra Wireless AirLink ALEOS Unrestricted Upload of File with Dangerous Type

CVSS: 8.8

CVE-2025-14174: Google Chromium Out of Bounds Memory Access

CVSS: 8.8

darkwebinformer.com/cisa-kev-c

  • 0
  • 0
  • 0
  • 6h ago

Bluesky

Profile picture
piggo @pigondrugs.bsky.social
~Cisa~ CISA added CVE-2018-4063, an actively exploited Sierra Wireless AirLink vulnerability, to its KEV catalog. - IOCs: CVE-2018-4063 - #CISA #CVE20184063 #ThreatIntel
  • 0
  • 0
  • 0
  • 9h ago

CVE-2025-10573

Overview

  • Ivanti
  • Endpoint Manager
09 Dec 2025
Published
10 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.6)
EPSS
0.04%
KEV

Description

Stored XSS in Ivanti Endpoint Manager prior to version 2024 SU4 SR1 allows a remote unauthenticated attacker to execute arbitrary JavaScript in the context of an administrator session. User interaction is required.

Statistics

  • 1 Post
  • 3 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
RF Wave @rfwaveio

Ivanti has released software updates to address a critical vulnerability in its Endpoint Manager software

Vulnerability:
CVE-2025-10573 - cross-site scripting

Impact: Allows an attacker to remotely execute code without authentication

Remediation: Apply patch ASAP

#cybersecurity #vulnerabilitymanagement #Ivanti

bleepingcomputer.com/news/secu

  • 2
  • 1
  • 0
  • 9h ago

CVE-2025-54988

Overview

  • Apache Software Foundation
  • Apache Tika PDF parser module
  • org.apache.tika:tika-parser-pdf-module
20 Aug 2025
Published
04 Nov 2025
Updated
CVSS
Pending
EPSS
0.03%
KEV

Description

Critical XXE in Apache Tika (tika-parser-pdf-module) in Apache Tika 1.13 through and including 3.2.1 on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. An attacker may be able to read sensitive data or trigger malicious requests to internal resources or third-party servers. Note that the tika-parser-pdf-module is used as a dependency in several Tika packages including at least: tika-parsers-standard-modules, tika-parsers-standard-package, tika-app, tika-grpc and tika-server-standard. Users are recommended to upgrade to version 3.2.2, which fixes this issue.

Statistics

  • 1 Post
  • 39 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture
Kevin Beaumont @GossiTheDog

On Apache Tika vulnerability CVE-2025-66516

- The fix was released in August.

- It's the same vulnerability as CVE-2025-54988 from August, they just issued a new CVE (which they probably shouldn't have) as they filed the scope wrong.

- It doesn't provide RCE. You can read local files with it as the Java user, e.g. /etc/passwd.

- Exploitation requires knowing a specific endpoint which processes PDFs to be vulnerable (so exploitation would be tailored).

It's not one to panic over.

  • 10
  • 29
  • 0
  • 17h ago

CVE-2025-66516

Overview

  • Apache Software Foundation
  • Apache Tika core
  • org.apache.tika:tika-core
04 Dec 2025
Published
05 Dec 2025
Updated
CVSS
Pending
EPSS
0.06%
KEV

Description

Critical XXE in Apache Tika tika-core (1.13-3.2.1), tika-pdf-module (2.0.0-3.2.1) and tika-parsers (1.13-1.28.5) modules on all platforms allows an attacker to carry out XML External Entity injection via a crafted XFA file inside of a PDF. This CVE covers the same vulnerability as in CVE-2025-54988. However, this CVE expands the scope of affected packages in two ways. First, while the entrypoint for the vulnerability was the tika-parser-pdf-module as reported in CVE-2025-54988, the vulnerability and its fix were in tika-core. Users who upgraded the tika-parser-pdf-module but did not upgrade tika-core to >= 3.2.2 would still be vulnerable. Second, the original report failed to mention that in the 1.x Tika releases, the PDFParser was in the "org.apache.tika:tika-parsers" module.

Statistics

  • 1 Post
  • 39 Interactions
Last activity: 17 hours ago

Fediverse

Profile picture
Kevin Beaumont @GossiTheDog

On Apache Tika vulnerability CVE-2025-66516

- The fix was released in August.

- It's the same vulnerability as CVE-2025-54988 from August, they just issued a new CVE (which they probably shouldn't have) as they filed the scope wrong.

- It doesn't provide RCE. You can read local files with it as the Java user, e.g. /etc/passwd.

- Exploitation requires knowing a specific endpoint which processes PDFs to be vulnerable (so exploitation would be tailored).

It's not one to panic over.

  • 10
  • 29
  • 0
  • 17h ago

CVE-2025-9478

Overview

  • Google
  • Chrome
26 Aug 2025
Published
28 Aug 2025
Updated
CVSS
Pending
EPSS
0.10%
KEV

Description

Use after free in ANGLE in Google Chrome prior to 139.0.7258.154 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: Critical)

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 21 hours ago

Fediverse

Profile picture
:awesome:🐦‍🔥nemo™🐦‍⬛ 🇺🇦🍉 @nemo

Google seals critical Chrome flaw (CVE-2025-9478) under attack: "use-after-free" bug in WebGL lets hackers run code via rigged pages. Update to v139.0.7258.154+ NOW! 🔒💻 heise.de/en/news/Chrome-update #ChromeUpdate #CyberSecurity
#Newz

  • 1
  • 0
  • 0
  • 21h ago

CVE-2025-14572

Overview

  • UTT
  • 进取 512W
12 Dec 2025
Published
12 Dec 2025
Updated
CVSS v4.0
HIGH (8.7)
EPSS
Pending
KEV

Description

A vulnerability was found in UTT 进取 512W up to 1.7.7-171114. This affects an unknown part of the file /goform/formWebAuthGlobalConfig. Performing manipulation of the argument hidcontact results in memory corruption. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
  • 2 Interactions
Last activity: 9 hours ago

Fediverse

Profile picture
cR0w h0 h0 @cR0w

UTT

cve.org/CVERecord?id=CVE-2025-

cc: @Dio9sys @da_667

  • 0
  • 2
  • 0
  • 9h ago

CVE-2023-46288

Overview

  • Apache Software Foundation
  • Apache Airflow
  • apache-airflow
23 Oct 2023
Published
13 Feb 2025
Updated
CVSS
Pending
EPSS
0.64%
KEV

Description

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Apache Airflow.This issue affects Apache Airflow from 2.4.0 to 2.7.0. Sensitive configuration information has been exposed to authenticated users with the ability to read configuration via Airflow REST API for configuration even when the expose_config option is set to non-sensitive-only. The expose_config option is False by default. It is recommended to upgrade to a version that is not affected if you set expose_config to non-sensitive-only configuration. This is a different error than CVE-2023-45348 which allows authenticated user to retrieve individual configuration values in 2.7.* by specially crafting their request (solved in 2.7.2). Users are recommended to upgrade to version 2.7.2, which fixes the issue and additionally fixes CVE-2023-45348.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 10 hours ago

Fediverse

Profile picture
Dan (he/him) :twit: @brass75

Per NVD it's only a 4.3 but it's in the payments system so I'm guessing this is why a Friday update instead of waiting till Monday.

nvd.nist.gov/vuln/detail/cve-2

  • 0
  • 1
  • 0
  • 10h ago

CVE-2025-49144

Overview

  • notepad-plus-plus
  • notepad-plus-plus
23 Jun 2025
Published
23 Oct 2025
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.01%
KEV

Description

Notepad++ is a free and open-source source code editor. In versions 8.8.1 and prior, a privilege escalation vulnerability exists in the Notepad++ v8.8.1 installer that allows unprivileged users to gain SYSTEM-level privileges through insecure executable search paths. An attacker could use social engineering or clickjacking to trick users into downloading both the legitimate installer and a malicious executable to the same directory (typically Downloads folder - which is known as Vulnerable directory). Upon running the installer, the attack executes automatically with SYSTEM privileges. This issue has been fixed and will be released in version 8.8.2.

Statistics

  • 1 Post
  • 1 Interaction
Last activity: 11 hours ago

Fediverse

Profile picture
Earthshine @earthshine

If you use PDQ, the Notepad++ 8.8.9 auto upgrade package is now available, but may require manual updates to your existing jobs to point to it. Patch that #0day if you haven't already. CVE-2025-49144

  • 0
  • 1
  • 0
  • 11h ago

CVE-2025-66293

Overview

  • pnggroup
  • libpng
03 Dec 2025
Published
04 Dec 2025
Updated
CVSS v3.1
HIGH (7.1)
EPSS
0.05%
KEV

Description

LIBPNG is a reference library for use in applications that read, create, and manipulate PNG (Portable Network Graphics) raster image files. Prior to 1.6.52, an out-of-bounds read vulnerability in libpng's simplified API allows reading up to 1012 bytes beyond the png_sRGB_base[512] array when processing valid palette PNG images with partial transparency and gamma correction. The PNG files that trigger this vulnerability are valid per the PNG specification; the bug is in libpng's internal state management. Upgrade to libpng 1.6.52 or later.

Statistics

  • 1 Post
Last activity: 3 hours ago

Bluesky

Profile picture
SecQube | Harvey | AI Platform for MS Graph @secqube.com
CVE-2025-66293 LIBPNG has an out-of-bounds read in png_image_read_composite scq.ms/48qtwII #SecQube #MicrosoftSecurity
  • 0
  • 0
  • 0
  • 3h ago

CVE-2025-12105

Overview

  • Red Hat
  • Red Hat Enterprise Linux 10
  • libsoup3
23 Oct 2025
Published
11 Dec 2025
Updated
CVSS
Pending
EPSS
0.05%
KEV

Description

A flaw was found in the asynchronous message queue handling of the libsoup library, widely used by GNOME and WebKit-based applications to manage HTTP/2 communications. When network operations are aborted at specific timing intervals, an internal message queue item may be freed twice due to missing state synchronization. This leads to a use-after-free memory access, potentially crashing the affected application. Attackers could exploit this behavior remotely by triggering specific HTTP/2 read and cancel sequences, resulting in a denial-of-service condition.

Statistics

  • 1 Post
Last activity: 15 hours ago

Bluesky

Profile picture
ferramentaslinux.bsky.social @ferramentaslinux.bsky.social
Just published a deep dive on the latest #Oracle Linux 10 security patch. ELSA-2025-23139 addresses CVE-2025-12105 in the libsoup3 HTTP library. Read more: 👉 tinyurl.com/4jvxyhxe #Security
  • 0
  • 0
  • 0
  • 15h ago
Showing 11 to 20 of 49 CVEs