24h | 7d | 30d

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post

Last activity: 2 hours ago

Bluesky

Profile picture
LITE XL RCE (CVE-2025-12121)
  • 0
  • 0
  • 0
  • 2h ago

Overview

  • Lynxtechnology
  • Twonky Server

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Twonky Server 8.5.2 on Linux and Windows is vulnerable to an access control flaw. An unauthenticated attacker can bypass web service API authentication controls to leak a log file and read the administrator's username and encrypted password.

Statistics

  • 1 Post

Last activity: 1 hour ago

Fediverse

Profile picture

🛑 CRITICAL: CVE-2025-13315 in Twonky Server 8.5.2 (Linux/Win) lets unauthenticated attackers bypass API auth to leak admin creds. No patch—restrict access & monitor! Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 1h ago

Overview

  • lukevella
  • rallly

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS v3.1
CRITICAL (9.1)
EPSS
Pending

KEV

Description

Rallly is an open-source scheduling and collaboration tool. Prior to version 4.5.4, an Insecure Direct Object Reference (IDOR) vulnerability exists in the poll finalization feature of the application. Any authenticated user can finalize a poll they do not own by manipulating the pollId parameter in the request. This allows unauthorized users to finalize other users’ polls and convert them into events without proper authorization checks, potentially disrupting user workflows and causing data integrity and availability issues. This issue has been patched in version 4.5.4.

Statistics

  • 1 Post

Last activity: Last hour

Fediverse

Profile picture

🔴 CVE-2025-65021 (CRITICAL, CVSS 9.1) in lukevella Rallly <4.5.4: Auth’d users can finalize others' polls via IDOR, risking data integrity. Patch to v4.5.4 ASAP! Monitor & audit poll actions. radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • Last hour

Overview

  • HAProxy Technologies
  • HAProxy Community Edition

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS v3.1
HIGH (7.5)
EPSS
0.11%

KEV

Description

Inefficient algorithm complexity in mjson in HAProxy allows remote attackers to cause a denial of service via specially crafted JSON requests.

Statistics

  • 1 Post

Last activity: 15 hours ago

Fediverse

Profile picture

⚠️ CVE-2025-11230: HIGH severity flaw in HAProxy Community Edition (2.4.0–3.2.0) lets remote attackers cause DoS via crafted JSON. Monitor for patches, rate-limit, and filter JSON traffic. More: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 15h ago

Overview

  • flatpak
  • flatpak

15 Aug 2024
Published
02 Apr 2025
Updated

CVSS v3.1
CRITICAL (10.0)
EPSS
3.69%

KEV

Description

Flatpak is a Linux application sandboxing and distribution framework. Prior to versions 1.14.0 and 1.15.10, a malicious or compromised Flatpak app using persistent directories could access and write files outside of what it would otherwise have access to, which is an attack on integrity and confidentiality. When `persistent=subdir` is used in the application permissions (represented as `--persist=subdir` in the command-line interface), that means that an application which otherwise doesn't have access to the real user home directory will see an empty home directory with a writeable subdirectory `subdir`. Behind the scenes, this directory is actually a bind mount and the data is stored in the per-application directory as `~/.var/app/$APPID/subdir`. This allows existing apps that are not aware of the per-application directory to still work as intended without general home directory access. However, the application does have write access to the application directory `~/.var/app/$APPID` where this directory is stored. If the source directory for the `persistent`/`--persist` option is replaced by a symlink, then the next time the application is started, the bind mount will follow the symlink and mount whatever it points to into the sandbox. Partial protection against this vulnerability can be provided by patching Flatpak using the patches in commits ceec2ffc and 98f79773. However, this leaves a race condition that could be exploited by two instances of a malicious app running in parallel. Closing the race condition requires updating or patching the version of bubblewrap that is used by Flatpak to add the new `--bind-fd` option using the patch and then patching Flatpak to use it. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=bwrap` (1.15.x) or `--with-system-bubblewrap=bwrap` (1.14.x or older), or a similar option, then the version of bubblewrap that needs to be patched is a system copy that is distributed separately, typically `/usr/bin/bwrap`. This configuration is the one that is typically used in Linux distributions. If Flatpak has been configured at build-time with `-Dsystem_bubblewrap=` (1.15.x) or with `--without-system-bubblewrap` (1.14.x or older), then it is the bundled version of bubblewrap that is included with Flatpak that must be patched. This is typically installed as `/usr/libexec/flatpak-bwrap`. This configuration is the default when building from source code. For the 1.14.x stable branch, these changes are included in Flatpak 1.14.10. The bundled version of bubblewrap included in this release has been updated to 0.6.3. For the 1.15.x development branch, these changes are included in Flatpak 1.15.10. The bundled version of bubblewrap in this release is a Meson "wrap" subproject, which has been updated to 0.10.0. The 1.12.x and 1.10.x branches will not be updated for this vulnerability. Long-term support OS distributions should backport the individual changes into their versions of Flatpak and bubblewrap, or update to newer versions if their stability policy allows it. As a workaround, avoid using applications using the `persistent` (`--persist`) permission.

Statistics

  • 1 Post

Last activity: 14 hours ago

Bluesky

Profile picture
Just published: A deep dive into the critical Flatpak sandbox vulnerability, CVE-2024-42472. Read more: 👉 tinyurl.com/yz672jsj #Security #Mageia
  • 0
  • 0
  • 0
  • 14h ago

Overview

  • codesnippetspro
  • Code Snippets

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS v3.1
HIGH (8.0)
EPSS
0.04%

KEV

Description

The Code Snippets plugin for WordPress is vulnerable to PHP Code Injection in all versions up to, and including, 3.9.1. This is due to the plugin's use of extract() on attacker-controlled shortcode attributes within the `evaluate_shortcode_from_flat_file` method, which can be used to overwrite the `$filepath` variable and subsequently passed to require_once. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute arbitrary PHP code on the server via the `[code_snippet]` shortcode using PHP filter chains granted they can trick an administrator into enabling the "Enable file-based execution" setting and creating at least one active Content snippet.

Statistics

  • 1 Post

Last activity: 16 hours ago

Fediverse

Profile picture

🚨 CVE-2025-13035: HIGH severity PHP code injection in Code Snippets plugin (≤3.9.1) for WordPress. Attackers with Contributor+ access & admin action can run arbitrary code. Disable file-based execution & restrict access. Details: radar.offseq.com/threat/cve-20

  • 0
  • 0
  • 0
  • 16h ago

Overview

  • Palo Alto Networks
  • PAN-OS

14 May 2025
Published
14 May 2025
Updated

CVSS v4.0
MEDIUM (5.1)
EPSS
7.24%

KEV

Description

A reflected cross-site scripting (XSS) vulnerability in the GlobalProtect™ gateway and portal features of Palo Alto Networks PAN-OS® software enables execution of malicious JavaScript in the context of an authenticated Captive Portal user's browser when they click on a specially crafted link. The primary risk is phishing attacks that can lead to credential theft—particularly if you enabled Clientless VPN. There is no availability impact to GlobalProtect features or GlobalProtect users. Attackers cannot use this vulnerability to tamper with or modify contents or configurations of the GlobalProtect portal or gateways. The integrity impact of this vulnerability is limited to enabling an attacker to create phishing and credential-stealing links that appear to be hosted on the GlobalProtect portal. For GlobalProtect users with Clientless VPN enabled, there is a limited impact on confidentiality due to inherent risks of Clientless VPN that facilitate credential theft. You can read more about this risk in the informational bulletin PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 https://security.paloaltonetworks.com/PAN-SA-2025-0005 . There is no impact to confidentiality for GlobalProtect users if you did not enable (or you disable) Clientless VPN.

Statistics

  • 2 Posts
  • 1 Interaction

Last activity: 17 hours ago

Fediverse

Profile picture

🚨 Plugin update: PaloAltoPlugin (CVE-2024-3400, CVE-2025-0133).

PaloAlto PAN-OS XSS vulnerability detection added - GlobalProtect portal affected.

Results: leakix.net/search?q=%2Bplugin%

  • 0
  • 1
  • 1
  • 17h ago

Overview

  • Pending

Pending
Published
Pending
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 7 hours ago

Fediverse

Profile picture

RE: infosec.exchange/@DarkWebInfor

Did someone break embargo or what? These links are apparently for 0days for CVE-2025-11001 and CVE-2025-11002 but neither one of those are published as of right now.

cve.org/CVERecord?id=CVE-2025-

cve.org/CVERecord?id=CVE-2025-

  • 0
  • 1
  • 0
  • 7h ago

Overview

  • Vivotek
  • Affected device model numbers are FD7131-VVTK,FD7131-VVTK,FD7131-VVTK,FD7141-VVTK,IP7131-VVTK,IP7133-VVTK,IP7133-VVTK,IP7133-VVTK,IP7134-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7135-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7137-VVTK,IP7138-VVTK,IP7142-VVTK,IP7142-VVTK,IP7151-VVTK,IP7152-VVTK,IP7153-VVTK,IP7153-VVTK,IP7154-VVTK,IP7330-VVTK,IP7330-VVTK,IP7330-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131-VVTK,IP8131W-VVTK,PT7135-VVTK,PT7137-TCON,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PT7137-VVTK,PZ7131-VVTK,PZ7131-VVTK,PZ71X1-VVTK,PZ71X1-VVTK,PZ71X2-VVTK,SD73X3-VVTK,SD73X3-VVTK,SD73X3-VVTK,TC5330-VVTK,TC5332-TCVV,TC5333-TCVV,TC5633-TCVV,TC5633-VVTK,VS7100-VVTK,VS7100-VVTK,VS7100-VVTK

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS v4.0
CRITICAL (9.3)
EPSS
Pending

KEV

Description

Legacy Vivotek Device firmware uses default credetials for the root and user login accounts.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 10 hours ago

Fediverse

Profile picture
  • 0
  • 1
  • 0
  • 10h ago

Overview

  • Pending

19 Nov 2025
Published
19 Nov 2025
Updated

CVSS
Pending
EPSS
Pending

KEV

Description

The Axel Technology WOLF1MS and WOLF2MS devices (firmware versions 0.8.5 to 1.0.3) are vulnerable to Broken Access Control due to missing authentication on the /cgi-bin/gstFcgi.fcgi endpoint. Unauthenticated remote attackers can list user accounts, create new administrative users, delete users, and modify system settings, leading to full compromise of the device.

Statistics

  • 1 Post
  • 1 Interaction

Last activity: 10 hours ago

Fediverse

Profile picture
  • 0
  • 1
  • 0
  • 10h ago
Showing 21 to 30 of 56 CVEs