24h | 7d | 30d

Overview

  • ASUS
  • Router

25 Nov 2025
Published
26 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.2)
EPSS
0.10%

KEV

Description

An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware section on the ASUS Security Advisory for more information.

Statistics

  • 2 Posts

Last activity: 20 hours ago

Fediverse

Profile picture

The CVE-2025-59366 vulnerability "can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization." bleepingcomputer.com/news/secu

  • 0
  • 0
  • 1
  • 20h ago

Overview

  • The Ray Team
  • Anyscale Ray

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Anyscale Ray 2.52.0 contains an insecure default configuration in which token-based authentication for Ray management interfaces (including the dashboard and Jobs API) is disabled unless explicitly enabled by setting RAY_AUTH_MODE=token. In the default unauthenticated state, a remote attacker with network access to these interfaces can submit jobs and execute arbitrary code on the Ray cluster. NOTE: The vendor plans to enable token authentication by default in a future release. They recommend enabling token authentication to protect your cluster from unauthorized access.

Statistics

  • 1 Post

Last activity: 5 hours ago

Fediverse

Profile picture

🚨 CVE-2025-34351 (CRITICAL): Anyscale Ray 2.52.0 has token auth OFF by default—remote attackers can execute code via mgmt interfaces! Enable RAY_AUTH_MODE=token, restrict access, audit configs. Full details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 5h ago

Overview

  • djangoproject
  • Django
  • django

05 Nov 2025
Published
08 Nov 2025
Updated

CVSS
Pending
EPSS
0.01%

KEV

Description

An issue was discovered in 5.1 before 5.1.14, 4.2 before 4.2.26, and 5.2 before 5.2.8. The methods `QuerySet.filter()`, `QuerySet.exclude()`, and `QuerySet.get()`, and the class `Q()`, are subject to SQL injection when using a suitably crafted dictionary, with dictionary expansion, as the `_connector` argument. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank cyberstan for reporting this issue.

Statistics

  • 1 Post

Last activity: Last hour

Bluesky

Profile picture
️ Critical Flaw: The “Secret Instruction” Hack in Django ORM (CVE-2025–64459) https://medium.com/@MuhammedAsfan/%EF%B8%8F-critical-flaw-the-secret-instruction-hack-in-django-orm-cve-2025-64459-2dfc899a165d?source=rss------bug_bounty-5
  • 0
  • 0
  • 0
  • Last hour

Overview

  • DirectoryThemes
  • Tiger

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

The Tiger theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 101.2.1. This is due to the 'paypal-submit.php' file not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'administrator' role during registration and gain administrator access to the site.

Statistics

  • 1 Post

Last activity: Last hour

Fediverse

Profile picture

🚨 CRITICAL: CVE-2025-13675 in DirectoryThemes Tiger (WordPress) allows unauthenticated privilege escalation via 'paypal-submit.php.' All versions ≤101.2.1 affected. Disable the file & monitor admin accounts. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

Overview

  • Zenitel
  • TCIV-3+

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
Pending

KEV

Description

An OS command injection vulnerability exists due to incomplete validation of user-supplied input. Validation fails to enforce sufficient formatting rules, which could permit attackers to append arbitrary data. This could allow an unauthenticated attacker to inject arbitrary commands.

Statistics

  • 1 Post

Last activity: 6 hours ago

Fediverse

Profile picture

🚨 CRITICAL: CVE-2025-64128 (CVSS 10) in Zenitel TCIV-3+—unauthenticated remote OS command injection. No patch yet. Segment, restrict access, monitor for attacks. ICS & public safety devices at risk! radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 6h ago

Overview

  • Adobe
  • Adobe Commerce

09 Sep 2025
Published
24 Oct 2025
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
42.76%

Description

Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.

Statistics

  • 1 Post

Last activity: 19 hours ago

Bluesky

Profile picture
Magento Mayhem: How a Single Input Validation Flaw Can Cripple Your E-Commerce Store (CVE-2025-54236) Introduction: A critical vulnerability has been identified in Adobe Magento Community Edition, threatening the security of countless e-commerce platforms worldwide. Designated as CVE-2025-54236…
  • 0
  • 0
  • 0
  • 19h ago

Overview

  • Elated Themes
  • FindAll Membership

27 Nov 2025
Published
27 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.8)
EPSS
Pending

KEV

Description

The FindAll Membership plugin for WordPress is vulnerable to Authentication Bypass in all versions up to, and including, 1.0.4. This is due to the plugin not properly logging in a user with the data that was previously verified through the 'findall_membership_check_facebook_user' and the 'findall_membership_check_google_user' functions. This makes it possible for unauthenticated attackers to log in as administrative users, as long as they have an existing account on the site which can easily be created by default through the temp user functionality, and access to the administrative user's email.

Statistics

  • 1 Post

Last activity: 3 hours ago

Fediverse

Profile picture

🔒 CRITICAL: CVE-2025-13539 in Elated Themes FindAll Membership (WP) allows auth bypass via social login checks. All versions up to 1.0.4 impacted. Disable plugin, audit users, secure admin emails. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 3h ago

Overview

  • FluentBit
  • FluentBit

24 Nov 2025
Published
24 Nov 2025
Updated

CVSS
Pending
EPSS
0.10%

KEV

Description

Fluent Bit out_file plugin does not properly sanitize tag values when deriving output file names. When the File option is omitted, the plugin uses untrusted tag input to construct file paths. This allows attackers with network access to craft tags containing path traversal sequences that cause Fluent Bit to write files outside the intended output directory.

Statistics

  • 1 Post

Last activity: 11 hours ago

Bluesky

Profile picture
📢 Chaîne de 5 vulnérabilités critiques dans Fluent Bit expose les environnements cloud à une prise de contrôle 📝 Selon O… https://cyberveille.ch/posts/2025-11-25-chaine-de-5-vulnerabilites-critiques-dans-fluent-bit-expose-les-environnements-cloud-a-une-prise-de-controle/ #CVE_2025_12972 #Cyberveille
  • 0
  • 0
  • 0
  • 11h ago

Overview

  • Microsoft
  • Windows 10 Version 1809

11 Mar 2025
Published
21 Oct 2025
Updated

CVSS v3.1
HIGH (7.0)
EPSS
9.34%

Description

Improper neutralization in Microsoft Management Console allows an unauthorized attacker to bypass a security feature locally.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture

📰 Water Gamayun APT Exploits Novel 'MSC EvilTwin' Windows Flaw in Stealthy Attacks

⚠️ Russia-aligned APT Water Gamayun exploits novel 'MSC EvilTwin' Windows flaw (CVE-2025-26633). The attack uses malicious .msc files to proxy PowerShell execution via mmc.exe, bypassing defenses. #APT #Vulnerability #CyberAttack #WaterGamayun

🔗 cyber.netsecops.io/articles/wa

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • ray-project
  • ray

26 Nov 2025
Published
26 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.4)
EPSS
Pending

KEV

Description

Ray is an AI compute engine. Prior to version 2.52.0, developers working with Ray as a development tool can be exploited via a critical RCE vulnerability exploitable via Firefox and Safari. This vulnerability is due to an insufficient guard against browser-based attacks, as the current defense uses the User-Agent header starting with the string "Mozilla" as a defense mechanism. This defense is insufficient as the fetch specification allows the User-Agent header to be modified. Combined with a DNS rebinding attack against the browser, and this vulnerability is exploitable against a developer running Ray who inadvertently visits a malicious website, or is served a malicious advertisement (malvertising). This issue has been patched in version 2.52.0.

Statistics

  • 1 Post

Last activity: 9 hours ago

Fediverse

Profile picture

🚨 CVE-2025-62593 (CRITICAL): Ray AI <2.52.0 is vulnerable to RCE via DNS rebinding attacks (Firefox/Safari). Exploit enables unauthenticated code execution. Patch to 2.52.0+ ASAP! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 9h ago
Showing 11 to 20 of 40 CVEs