CVE-2025-69256

Overview

serverless
serverless

30 Dec 2025

Published

30 Dec 2025

Updated

CVSS v3.1

HIGH (7.5)

EPSS

0.11%

MITRE

KEV

Description

The Serverless Framework is a framework for using AWS Lambda and other managed cloud services to build applications. Starting in version 4.29.0 and prior to version 4.29.3, a command injection vulnerability exists in the Serverless Framework's built-in MCP server package (@serverless/mcp). This vulnerability only affects users of the experimental MCP server feature (serverless mcp), which represents less than 0.1% of Serverless Framework users. The core Serverless Framework CLI and deployment functionality are not affected. The vulnerability is caused by the unsanitized use of input parameters within a call to `child_process.exec`, enabling an attacker to inject arbitrary system commands. Successful exploitation can lead to remote code execution under the server process's privileges. The server constructs and executes shell commands using unvalidated user input directly within command-line strings. This introduces the possibility of shell metacharacter injection (`|`, `>`, `&&`, etc.). Version 4.29.3 fixes the issue.

Statistics

1 Post

Last activity: 10 hours ago

Bluesky

azu @azu.bsky.social

見てる: "serverless MCP Server vulnerable to Command Injection in list-projects tool · CVE-2025-69256 · GitHub Advisory Database" https://github.com/advisories/GHSA-rwc2-f344-q6w6

0
0
0
10h ago

CVE-2025-30628

Overview

AA-Team
Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer)

31 Dec 2025

Published

31 Dec 2025

Updated

CVSS v3.1

HIGH (8.5)

EPSS

Pending

MITRE

KEV

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer): from n/a through 1.2.

Statistics

1 Post

Last activity: 13 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-30628 - High (8.5)

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in AA-Team Amazon Affiliates Addon for WPBakery Page Builder (formerly Visual Composer) allows SQL Injection.This issue affects Amazon Affiliates Ad...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-30628/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

0
0
0
13h ago

CVE-2018-19358

Overview

Pending

18 Nov 2018

Published

17 Sep 2024

Updated

CVSS

Pending

EPSS

0.11%

MITRE

KEV

Description

GNOME Keyring through 3.28.2 allows local users to retrieve login credentials via a Secret Service API call and the D-Bus interface if the keyring is unlocked, a similar issue to CVE-2008-7320. One perspective is that this occurs because available D-Bus protection mechanisms (involving the busconfig and policy XML elements) are not used. NOTE: the vendor disputes this because, according to the security model, untrusted applications must not be allowed to access the user's session bus socket.

Statistics

1 Post

Last activity: 22 hours ago

Fediverse

Cybersecurity & cyberwarfare @cybersecurity

It’s Time To Make A Major Change to D-Bus On Linux

Although flying well under the radar of the average Linux user, D-Bus has been an integral part of Linux distributions for nearly two decades and counting. Rather than using faster point-to-point interprocess communication via a Unix socket or such, an IPC bus allows for IP communication in a bus-like manner for convenience reasons. D-Bus replaced a few existing IPC buses in the Gnome and KDE desktop environments and became since that time the de-facto standard. Which isn’t to say that D-Bus is well-designed or devoid of flaws, hence attracting the ire of people like [Vaxry] who recently wrote an article on why D-Bus should die and proposes using hyprwire instead.

The broader context is provided by [Brodie Robertson], whose video adds interesting details, such as that Arch Linux wrote its own D-Bus implementation rather than use the reference one. Then there’s CVE-2018-19358 pertaining to the security risk of using an unlocked keyring on D-Bus, as any application on said bus can read the contents. The response by the Gnome developers responsible for D-Bus was very Wayland-like in that they dismissed the CVE as ‘works as designed’.

One reason why the proposed hyperwire/hyprtavern IPC bus would be better is on account of having actual security permissions, real validation of messages and purportedly also solid documentation. Even after nearly twenty years the documentation for D-Bus consists mostly out of poorly documented code, lots of TODOs in ‘documentation’ files along with unfinished drafts. Although [Vaxry] isn’t expecting this hyprwire alternative to be picked up any time soon, it’s hoped that it’ll at least make some kind of improvement possible, rather than Linux limping on with D-Bus for another few decades.

youtube.com/embed/upKM5mViQrY?…

hackaday.com/2025/12/31/its-ti…

0
0
0
22h ago

CVE-2025-61594

Overview

ruby
uri
uri

30 Dec 2025

Published

30 Dec 2025

Updated

CVSS v4.0

LOW (2.7)

EPSS

0.04%

MITRE

KEV

Description

URI is a module providing classes to handle Uniform Resource Identifiers. In versions prior to 0.12.5, 0.13.3, and 1.0.4, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials. When using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure. Versions 0.12.5, 0.13.3, and 1.0.4 fix the issue.

Statistics

1 Post

Last activity: 22 hours ago

Bluesky

Lambda Watchdog @lambdawatchdog.bsky.social

🚨 New MEDIUM CVE detected in AWS Lambda 🚨 CVE-2025-61594 impacts uri in 2 Lambda base images. Details: https://github.com/aws/aws-lambda-base-images/issues/363 More: https://lambdawatchdog.com/ #AWS #Lambda #CVE #CloudSecurity #Serverless

0
0
0
22h ago

CVE-2025-11157

Overview

feast-dev
feast-dev/feast

01 Jan 2026

Published

01 Jan 2026

Updated

CVSS v3.0

HIGH (7.8)

EPSS

Pending

MITRE

KEV

Description

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises from the use of `yaml.load(..., Loader=yaml.Loader)` to deserialize `/var/feast/feature_store.yaml` and `/var/feast/materialization_config.yaml`. This method allows for the instantiation of arbitrary Python objects, enabling an attacker with the ability to modify these YAML files to execute OS commands on the worker pod. This vulnerability can be exploited before the configuration is validated, potentially leading to cluster takeover, data poisoning, and supply-chain sabotage.

Statistics

1 Post

Last activity: 3 hours ago

Fediverse

TheHackerWire @thehackerwire

🟠 CVE-2025-11157 - High (7.8)

A high-severity remote code execution vulnerability exists in feast-dev/feast version 0.53.0, specifically in the Kubernetes materializer job located at `feast/sdk/python/feast/infra/compute_engines/kubernetes/main.py`. The vulnerability arises fr...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-11157/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

0
0
0
3h ago

CVE-2025-68664

Overview

langchain-ai
langchain

23 Dec 2025

Published

24 Dec 2025

Updated

CVSS v3.1

CRITICAL (9.3)

EPSS

0.07%

MITRE

KEV

Description

LangChain is a framework for building agents and LLM-powered applications. Prior to versions 0.3.81 and 1.2.5, a serialization injection vulnerability exists in LangChain's dumps() and dumpd() functions. The functions do not escape dictionaries with 'lc' keys when serializing free-form dictionaries. The 'lc' key is used internally by LangChain to mark serialized objects. When user-controlled data contains this key structure, it is treated as a legitimate LangChain object during deserialization rather than plain user data. This issue has been patched in versions 0.3.81 and 1.2.5.

Statistics

1 Post

Last activity: 23 hours ago

Bluesky

topickapp (IT技術系ニュースサイト) @topickapp.bsky.social

https://cyata.ai/blog/langgrinch-langchain-core-cve-2025-68664/ LangChain Coreに深刻な脆弱性（CVE-2025-68664）が発見されました。攻撃者は、LLMの応答を悪用して秘密情報を盗み、コード実行さえ可能です。直ちにバージョン1.2.5または0.3.81にアップデートし、環境変数の取り扱いに注意してください。

0
0
0
23h ago

CVE-2025-69288

Overview

kromitgmbh
titra

31 Dec 2025

Published

31 Dec 2025

Updated

CVSS v3.1

CRITICAL (9.1)

EPSS

Pending

MITRE

KEV

Description

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitization, it leads to a Remote Code Execution. Version 0.99.49 fixes the issue.

Statistics

1 Post

Last activity: 11 hours ago

Fediverse

TheHackerWire @thehackerwire

🔴 CVE-2025-69288 - Critical (9.1)

Titra is open source project time tracking software. Prior to version 0.99.49, Titra allows any authenticated Admin user to modify the timeEntryRule in the database. The value is then passed to a NodeVM value to execute as code. Without sanitizati...

🔗 https://www.thehackerwire.com/vulnerability/CVE-2025-69288/

#CVE #vulnerability #infosec #cybersecurity #security #Tenda

0
0
0
11h ago

CVE-2025-58058

Overview

ulikunitz
xz

28 Aug 2025

Published

29 Aug 2025

Updated

CVSS v3.1

MEDIUM (5.3)

EPSS

0.08%

MITRE

KEV

Description

xz is a pure golang package for reading and writing xz-compressed files. Prior to version 0.5.14, it is possible to put data in front of an LZMA-encoded byte stream without detecting the situation while reading the header. This can lead to increased memory consumption because the current implementation allocates the full decoding buffer directly after reading the header. The LZMA header doesn't include a magic number or has a checksum to detect such an issue according to the specification. Note that the code recognizes the issue later while reading the stream, but at this time the memory allocation has already been done. This issue has been patched in version 0.5.14.

Statistics

2 Posts

Last activity: 17 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

URGENT: #Fedora security update for mapcidr tool (CVE-2025-58058). Critical vulnerability patched in network reconnaissance utility used by pentesters and security teams. Impacts CIDR manipulation functions. Read more: 👉 tinyurl.com/4bhyk5sn #Security

0
0
0
21h ago

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

🚨 #Fedora 42 security alert: golang-github-projectdiscovery-mapcidr update patches 9 CVEs (CVE-2025-58058, CVE-2025-47910, etc.). Memory leaks, HTTP bypasses, and DoS flaws fixed. Critical for pentesters & cloud sec. Read more: 👉 tinyurl.com/bdtxdu2n #Security

0
0
0
17h ago

CVE-2025-58190

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post
1 Interaction

Last activity: 16 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

URGENT: #OpenSUSE users must patch #go-sendxmpp for CVE-2025-47911 & CVE-2025-58190. High-severity memory flaws = severe DoS risk. Read more: 👉 tinyurl.com/2ttpnad4

0
1
0
16h ago

CVE-2025-47911

Overview

Pending

Pending

Published

Pending

Updated

CVSS

Pending

EPSS

Pending

MITRE

KEV

Description

This candidate has been reserved by a CVE Numbering Authority (CNA). This record will be updated by the assigning CNA once details are available.

Statistics

1 Post
1 Interaction

Last activity: 16 hours ago

Bluesky

ferramentaslinux.bsky.social @ferramentaslinux.bsky.social

URGENT: #OpenSUSE users must patch #go-sendxmpp for CVE-2025-47911 & CVE-2025-58190. High-severity memory flaws = severe DoS risk. Read more: 👉 tinyurl.com/2ttpnad4

0
1
0
16h ago