24h | 7d | 30d

CVE-2025-61594

Overview

  • ruby
  • uri
  • uri
30 Dec 2025
Published
30 Dec 2025
Updated
CVSS v4.0
LOW (2.7)
EPSS
0.04%
KEV

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Statistics

  • 1 Post
Last activity: 12 hours ago

Bluesky

Profile picture
Lambda Watchdog @lambdawatchdog.bsky.social
๐Ÿšจ New MEDIUM CVE detected in AWS Lambda ๐Ÿšจ CVE-2025-61594 impacts uri in 2 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/363 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless
  • 0
  • 0
  • 0
  • 12h ago

CVE-2025-69256

Overview

  • serverless
  • serverless
30 Dec 2025
Published
30 Dec 2025
Updated
CVSS v3.1
HIGH (7.5)
EPSS
0.11%
KEV

Description

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue.

Statistics

  • 1 Post
Last activity: Last hour

Bluesky

Profile picture
azu @azu.bsky.social
่ฆ‹ใฆใ‚‹: "serverless MCP Server vulnerable to Command Injection in list-projects tool ยท CVE-2025-69256 ยท GitHub Advisory Database" https://github.com/advisories/GHSA-rwc2-f344-q6w6
  • 0
  • 0
  • 0
  • Last hour

CVE-2025-68974

Overview

  • miniOrange
  • WordPress Social Login and Register
  • miniorange-login-openid
30 Dec 2025
Published
30 Dec 2025
Updated
CVSS
Pending
EPSS
0.12%
KEV

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects WordPress Social Login and Register: from n/a through <= 7.7.0.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2025-68974 - Critical (9.8)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in miniOrange WordPress Social Login and Register miniorange-login-openid allows PHP Local File Inclusion.This issue affects Word...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-15270

Overview

  • FontForge
  • FontForge
31 Dec 2025
Published
31 Dec 2025
Updated
CVSS v3.0
HIGH (8.8)
EPSS
0.36%
KEV

Description

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated array. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28563.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2025-15270 - High (8.8)

FontForge SFD File Parsing Improper Validation of Array Index Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-68664

Overview

  • langchain-ai
  • langchain
23 Dec 2025
Published
24 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
0.07%
KEV

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Statistics

  • 1 Post
Last activity: 13 hours ago

Bluesky

Profile picture
topickapp (ITๆŠ€่ก“็ณปใƒ‹ใƒฅใƒผใ‚นใ‚ตใ‚คใƒˆ) @topickapp.bsky.social
https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/ LangChain Coreใซๆทฑๅˆปใช่„†ๅผฑๆ€ง๏ผˆCVE-2025-68664๏ผ‰ใŒ็™บ่ฆ‹ใ•ใ‚Œใพใ—ใŸใ€‚ ๆ”ปๆ’ƒ่€…ใฏใ€LLMใฎๅฟœ็ญ”ใ‚’ๆ‚ช็”จใ—ใฆ็ง˜ๅฏ†ๆƒ…ๅ ฑใ‚’็›—ใฟใ€ใ‚ณใƒผใƒ‰ๅฎŸ่กŒใ•ใˆๅฏ่ƒฝใงใ™ใ€‚ ็›ดใกใซใƒใƒผใ‚ธใƒงใƒณ1.2.5ใพใŸใฏ0.3.81ใซใ‚ขใƒƒใƒ—ใƒ‡ใƒผใƒˆใ—ใ€็’ฐๅขƒๅค‰ๆ•ฐใฎๅ–ใ‚Šๆ‰ฑใ„ใซๆณจๆ„ใ—ใฆใใ ใ•ใ„ใ€‚
  • 0
  • 0
  • 0
  • 13h ago

CVE-2025-15269

Overview

  • FontForge
  • FontForge
31 Dec 2025
Published
31 Dec 2025
Updated
CVSS v3.0
HIGH (8.8)
EPSS
0.36%
KEV

Description

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SFD files. The issue results from the lack of validating the existence of an object prior to performing operations on the object. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-28564.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2025-15269 - High (8.8)

FontForge SFD File Parsing Use-After-Free Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability ...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 16h ago

CVE-2025-15279

Overview

  • FontForge
  • FontForge
31 Dec 2025
Published
31 Dec 2025
Updated
CVSS v3.0
HIGH (7.8)
EPSS
0.04%
KEV

Description

FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of pixels within BMP files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current user. Was ZDI-CAN-27517.

Statistics

  • 2 Posts
Last activity: 16 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2025-15279 - High (7.8)

FontForge GUtils BMP File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of FontForge. User interaction is required to exploit ...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 1
  • 16h ago

CVE-2025-69288

Overview

  • kromitgmbh
  • titra
31 Dec 2025
Published
31 Dec 2025
Updated
CVSS v3.1
CRITICAL (9.1)
EPSS
Pending
KEV

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

Statistics

  • 1 Post
Last activity: 1 hour ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2025-69288 - Critical (9.1)

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitizati...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 1h ago

CVE-2025-68983

Overview

  • thembay
  • Greenmart
  • greenmart
30 Dec 2025
Published
30 Dec 2025
Updated
CVSS
Pending
EPSS
0.12%
KEV

Description

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through <= 4.2.11.

Statistics

  • 1 Post
Last activity: 22 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2025-68983 - Critical (9.8)

Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Greenmart greenmart allows PHP Local File Inclusion.This issue affects Greenmart: from n/a through &lt;= 4.2.11.

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 22h ago

CVE-2025-68976

Overview

  • Eagle-Themes
  • Eagle Booking
  • eagle-booking
30 Dec 2025
Published
30 Dec 2025
Updated
CVSS
Pending
EPSS
0.04%
KEV

Description

Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through <= 1.3.4.3.

Statistics

  • 1 Post
Last activity: 23 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2025-68976 - High (8.8)

Missing Authorization vulnerability in Eagle-Themes Eagle Booking eagle-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Eagle Booking: from n/a through &lt;= 1.3.4.3.

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

  • 0
  • 0
  • 0
  • 23h ago
Showing 31 to 40 of 46 CVEs