Overview
Description
A permissions issue was addressed with additional restrictions. This issue is fixed in macOS Tahoe 26. An app may be able to access sensitive user data.
Statistics
- 1 Post
Last activity: 2 hours ago
Fediverse
🔒 HIGH severity: CVE-2025-43328 in Apple macOS allows unauthorized app access to sensitive user data. Fixed in macOS Tahoe 26. Patch now, audit permissions, and monitor endpoints. https://radar.offseq.com/threat/cve-2025-43328-an-app-may-be-able-to-access-sensit-a4271767 #OffSeq #macOS #Vuln #BlueTeam
Overview
- Daikin
- Security Gateway
11 Sep 2025
Published
11 Sep 2025
Updated
CVSS v3.1
HIGH (7.3)
EPSS
0.08%
KEV
Description
Daikin Security Gateway is vulnerable to an authorization bypass through
a user-controlled key vulnerability that could allow an attacker to
bypass authentication. An unauthorized attacker could access the system
without prior credentials.
Statistics
- 1 Post
Last activity: 8 hours ago
Bluesky
ダイキン製「Daikin Security Gateway」で重大な脆弱性(CVE-2025-10127)
rocket-boys.co.jp/security-mea...
#セキュリティ対策Lab #セキュリティ #Security
Overview
- RURBAN
- Cpanel::JSON::XS
- Cpanel-JSON-XS
08 Sep 2025
Published
08 Sep 2025
Updated
CVSS
Pending
EPSS
0.06%
KEV
Description
Cpanel::JSON::XS before version 4.40 for Perl has an integer buffer overflow causing a segfault when parsing crafted JSON, enabling denial-of-service attacks or other unspecified impact
Statistics
- 1 Post
Last activity: 22 hours ago
Bluesky
Critical security update for all #SUSE Linux Enterprise 15 SP7 users. The perl-Cpanel-JSON-XS package contains a severe integer buffer overflow vulnerability (CVE-2025-40929). Rated 9.8 CVSS, it's remotely exploitable with no authentication required. Read more:👉 tinyurl.com/m9mpwyf2 #Security
Overview
Description
The issue was addressed with improved memory handling. This issue is fixed in AirPlay audio SDK 2.7.1, AirPlay video SDK 3.6.0.126, CarPlay Communication Plug-in R18.1. An attacker on the local network may cause an unexpected app termination.
Statistics
- 1 Post
Last activity: 3 hours ago
Bluesky
[Apple CarPlay] 脆弱性CVE-2025-24132、なぜ修正パッチは適用されないのか?自動車業界の構造的課題に迫るーイノベトピア
innovatopia.jp/cyber-securi...
まず、この脆弱性の核心部分を簡単に解説します。今回発見された「CVE-2025-24132」は、専門的には「ゼロクリック・リモートコード実行(RCE)」と呼ばれる種類に分類されます。
「ゼロクリック」とは、その名の通り、ユーザーがリンクをクリックしたり、ファイルを開いたりといった操作を一切しなくても、攻撃が成立してしまうことを意味します。
Overview
Description
A file quarantine bypass was addressed with additional checks. This issue is fixed in macOS Sequoia 15.7, macOS Sonoma 14.8, macOS Tahoe 26. An app may be able to break out of its sandbox.
Statistics
- 1 Post
Last activity: 5 hours ago
Fediverse
CVE-2025-43332 (HIGH): A sandbox escape vuln in Apple macOS could let apps break isolation via file quarantine bypass. Update to Sequoia 15.7, Sonoma 14.8, or Tahoe 26. No exploits yet, patch ASAP! https://radar.offseq.com/threat/cve-2025-43332-an-app-may-be-able-to-break-out-of--5333542b #OffSeq #macOS #Vuln #Security
Overview
- instawp
- InstaWP Connect – 1-click WP Staging & Migration
11 Apr 2025
Published
11 Apr 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
9.79%
KEV
Description
The InstaWP Connect – 1-click WP Staging & Migration plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 0.1.0.85 via the 'instawp-database-manager' parameter. This makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where images and other “safe” file types can be uploaded and included.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
🚨 CVE-2025-2636: Critical Path Traversal in InstaWP Connect WordPress Plugin
The CrowdSec Network has detected a surge of exploitation attempts targeting CVE-2025-2636, a critical path traversal vulnerability in the InstaWP Connect WordPress plugin, which is turning website staging tools into backdoors.
🧵1/7
Overview
- Red Hat
- Red Hat Enterprise Linux 10
- podman
05 Sep 2025
Published
16 Sep 2025
Updated
CVSS
Pending
EPSS
0.07%
KEV
Description
There's a vulnerability in podman where an attacker may use the kube play command to overwrite host files when the kube file container a Secrete or a ConfigMap volume mount and such volume contains a symbolic link to a host file path. In a successful attack, the attacker can only control the target file to be overwritten but not the content to be written into the file.
Binary-Affected: podman
Upstream-version-introduced: v4.0.0
Upstream-version-fixed: v5.6.1
Statistics
- 1 Post
Last activity: 21 hours ago
Bluesky
[release-25.05] podman: patch CVE-2025-9566
https://github.com/NixOS/nixpkgs/pull/443023
#security
Overview
Description
Axios is a promise based HTTP client for the browser and Node.js. When Axios prior to version 1.11.0 runs on Node.js and is given a URL with the `data:` scheme, it does not perform HTTP. Instead, its Node http adapter decodes the entire payload into memory (`Buffer`/`Blob`) and returns a synthetic 200 response. This path ignores `maxContentLength` / `maxBodyLength` (which only protect HTTP responses), so an attacker can supply a very large `data:` URI and cause the process to allocate unbounded memory and crash (DoS), even if the caller requested `responseType: 'stream'`. Version 1.11.0 contains a patch for the issue.
Statistics
- 1 Post
Last activity: 3 hours ago
Bluesky
Axiosの脆弱性がNode.jsのプロセスをクラッシュさせる可能性(CVE-2025-58754)
rocket-boys.co.jp/security-mea...
#セキュリティ対策Lab #セキュリティ #Security
Overview
- BGS Interactive
- SINAV.LINK Exam Result Module
16 Sep 2025
Published
16 Sep 2025
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in BGS Interactive SINAV.LINK Exam Result Module allows SQL Injection.This issue affects SINAV.LINK Exam Result Module: before 1.2.
Statistics
- 1 Post
Last activity: 1 hour ago
Fediverse
🚨 CVE-2025-4688: CRITICAL SQL Injection in SINAV.LINK Exam Result Module <1.2. Remotely exploitable, no patch yet — restrict access, enable WAF, and monitor logs. Protect exam data! https://radar.offseq.com/threat/cve-2025-4688-cwe-89-improper-neutralization-of-sp-4464879c #OffSeq #Vuln #SQLi #InfoSec
Overview
Description
A weakness has been identified in DJI Mavic Spark, Mavic Air and Mavic Mini 01.00.0500. Affected is an unknown function of the component Telemetry Channel. Executing manipulation can lead to use of hard-coded cryptographic key
. The attacker needs to be present on the local network. A high complexity level is associated with this attack. The exploitability is told to be difficult. The exploit has been made available to the public and could be exploited. This vulnerability only affects products that are no longer supported by the maintainer.
Statistics
- 1 Post
Last activity: 21 hours ago
Fediverse
The write-up on GitHub and the description in the CVE don't really match, but either way, go hack some EOL DJI shit.
https://github.com/ByteMe1001/DJI-Enhanced-WiFi-Weak-Cryptography